Suckfly is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, Windows, macOS, AWS, GCP, Azure | discovery | Network Service Scanning | Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open. | Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process use of network |
| Linux, macOS, Windows | execution | Command-Line Interface | Several tools used by Suckfly have been command-line driven. | Process monitoring, Process command-line parameters |
| Windows, Linux, macOS | credential-access | Credential Dumping | Suckfly used a signed credential-dumping tool to obtain victim account credentials. | API monitoring, Process monitoring, PowerShell logs, Process command-line parameters |
| macOS, Windows | defense-evasion | Code Signing | Suckfly has used stolen certificates to sign its malware. | Binary file metadata |
| Linux, macOS, Windows, AWS, GCP, Azure, SaaS, Office 365 | defense-evasion, persistence, privilege-escalation, initial-access | Valid Accounts | Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner. | AWS CloudTrail logs, Stackdriver logs, Authentication logs, Process monitoring |