Skip to content

Hide Navigation Hide TOC

Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643)

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)

Cluster A Galaxy A Cluster B Galaxy B Level
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set 1
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set 1
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set 1
Mofang - G0103 (88489675-d216-4884-a98f-49a89fcc1643) Intrusion Set Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 2
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
ShimRatReporter - S0445 (115f88dd-0618-4389-83cb-98d33ae81848) mitre-tool Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 2
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 3
Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3