Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	1
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)	Intrusion Set	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)	Intrusion Set	1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)	Intrusion Set	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)	Intrusion Set	1
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)	Intrusion Set	1
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)	Intrusion Set	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848)	mitre-tool	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83)	Attack Pattern	ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	3
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3