Sowbug

Introduction

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. Symantec Sowbug Nov 2017

Activities and Tactics

Targeted Sectors: Government

Country of Origin: 🏳️ Unknown

Risk Level: High

Incident Type: Espionage

Suspected Victims: Argentina, Ecuador, Brazil, Brunei, Peru, Malaysia

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

• T1083 File and Directory Discovery
• T1039 Data from Network Shared Drive
• T1560.001 Archive via Utility
• T1059.003 Windows Command Shell
• T1056.001 Keylogging
• T1135 Network Share Discovery
• T1036.005 Match Legitimate Resource Name or Location
• T1003 OS Credential Dumping
• T1082 System Information Discovery

ATT&CK technique IDs (denormalized)

• T1003
• T1036.005
• T1039
• T1056.001
• T1059.003
• T1082
• T1083
• T1135
• T1560.001

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• CyberGate
• Cyber Eye RAT
• Felismus:

MITRE ATT&CK Software

• Starloader (S0188) — malware
• Felismus (S0171) — malware

Attribution and Evidence

Country of Origin: Unknown Additional attribution information pending cataloguing.

References

[1] mitre-attack [3] Symantec Sowbug Nov 2017 Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.