Group description: Sowbug
quality 3/10 · low quality
0 net
Tags
Sowbug, Group G0054 | MITRE ATT&CK®
ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release.
Home
Groups
Sowbug
Sowbug
Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [1]
ID: G0054
Contributors : Alan Neville, @abnev
Version : 1.1
Created: 16 January 2018
Last Modified: 25 April 2025
Version Permalink
Live Version
ATT&CK ® Navigator Layers
Enterprise Layer
download
view
Techniques Used
Domain
ID
Name
Use
Enterprise
T1560
.001
Archive Collected Data : Archive via Utility
Sowbug extracted documents and bundled them into a RAR archive. [1]
Enterprise
T1059
.003
Command and Scripting Interpreter : Windows Command Shell
Sowbug has used command line during its intrusions. [1]
Enterprise
T1039
Data from Network Shared Drive
Sowbug extracted Word documents from a file server on a victim network. [1]
Enterprise
T1083
File and Directory Discovery
Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim. [1]
Enterprise
T1056
.001
Input Capture : Keylogging
Sowbug has used keylogging tools. [1]
Enterprise
T1036
.005
Masquerading : Match Legitimate Resource Name or Location
Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security . [1]
Enterprise
T1135
Network Share Discovery
Sowbug listed remote shared drives that were accessible from a victim. [1]
Enterprise
T1003
OS Credential Dumping
Sowbug has used credential dumping tools. [1]
Enterprise
T1082
System Information Discovery
Sowbug obtained OS version and hardware configuration from a victim. [1]
Software
ID
Name
References
Techniques
S0171
Felismus
[1]
Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Data Encoding : Standard Encoding , Encrypted Channel : Symmetric Cryptography , Ingress Tool Transfer , Masquerading : Match Legitimate Resource Name or Location , Software Discovery : Security Software Discovery , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery
S0188
Starloader
[1]
Deobfuscate/Decode Files or Information , Masquerading : Match Legitimate Resource Name or Location
References
Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
×
load more results