Skip to content

Hide Navigation Hide TOC

Sowbug (1ca3b039-404e-4132-88c2-4e41235cd2f5)

Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates.

Cluster A Galaxy A Cluster B Galaxy B Level
Sowbug (1ca3b039-404e-4132-88c2-4e41235cd2f5) Threat Actor Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set 2
Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set Starloader - S0188 (96566860-9f11-4b6f-964d-1c924e4f24a4) Malware 2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set 2
Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 2
Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware 2
Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c) Attack Pattern Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set 2
Sowbug - G0054 (d1acfbb3-647b-4723-9154-800ec119006e) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Starloader - S0188 (96566860-9f11-4b6f-964d-1c924e4f24a4) Malware 3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Starloader - S0188 (96566860-9f11-4b6f-964d-1c924e4f24a4) Malware 3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware 3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware 3
Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware 3
Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware Felismus (07a41ea7-17b2-4852-bfd7-54211c477dc0) Malpedia 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware 3
Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Felismus - S0171 (196f1f32-e0c2-4d46-99cd-234d4b6befe1) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 4