Skip to content

Hide Navigation Hide TOC

Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)

Cluster A Galaxy A Cluster B Galaxy B Level
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set 1
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 1
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set 1
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 1
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3