C0021 C0021
C0021 was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. C0021‘s technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected APT29 activity.21
Item | Value |
---|---|
ID | C0021 |
Associated Names | |
First Seen | November 2018 |
Last Seen | November 2018 |
Version | 1.0 |
Created | 15 March 2023 |
Last Modified | 05 April 2023 |
Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
enterprise | T1583 | Acquire Infrastructure | - |
enterprise | T1583.001 | Domains | For C0021, the threat actors registered domains for use in C2.1 |
enterprise | T1071 | Application Layer Protocol | - |
enterprise | T1071.001 | Web Protocols | During C0021, the threat actors used HTTP for some of their C2 communications.1 |
enterprise | T1059 | Command and Scripting Interpreter | - |
enterprise | T1059.001 | PowerShell | During C0021, the threat actors used obfuscated PowerShell to extract an encoded payload from within an .LNK file.12 |
enterprise | T1584 | Compromise Infrastructure | - |
enterprise | T1584.001 | Domains | For C0021, the threat actors used legitimate but compromised domains to host malicious payloads.2 |
enterprise | T1140 | Deobfuscate/Decode Files or Information | During C0021, the threat actors deobfuscated encoded PowerShell commands including use of the specific string 'FromBase'+0x40+'String' , in place of FromBase64String which is normally used to decode base64.12 |
enterprise | T1573 | Encrypted Channel | - |
enterprise | T1573.002 | Asymmetric Cryptography | During C0021, the threat actors used SSL via TCP port 443 for C2 communications.1 |
enterprise | T1105 | Ingress Tool Transfer | During C0021, the threat actors downloaded additional tools and files onto victim machines.21 |
enterprise | T1095 | Non-Application Layer Protocol | During C0021, the threat actors used TCP for some C2 communications.1 |
enterprise | T1027 | Obfuscated Files or Information | - |
enterprise | T1027.009 | Embedded Payloads | For C0021, the threat actors embedded a base64-encoded payload within a LNK file.2 |
enterprise | T1027.010 | Command Obfuscation | During C0021, the threat actors used encoded PowerShell commands.12 |
enterprise | T1588 | Obtain Capabilities | - |
enterprise | T1588.002 | Tool | For C0021, the threat actors used Cobalt Strike configured with a modified variation of the publicly available Pandora Malleable C2 Profile.12 |
enterprise | T1566 | Phishing | - |
enterprise | T1566.002 | Spearphishing Link | During C0021, the threat actors sent phishing emails with unique malicious links, likely for tracking victim clicks.12 |
enterprise | T1608 | Stage Capabilities | - |
enterprise | T1608.001 | Upload Malware | For C0021, the threat actors uploaded malware to websites under their control.12 |
enterprise | T1218 | System Binary Proxy Execution | - |
enterprise | T1218.011 | Rundll32 | During C0021, the threat actors used rundll32.exe to execute the Cobalt Strike Beacon loader DLL.1 |
enterprise | T1204 | User Execution | - |
enterprise | T1204.001 | Malicious Link | During C0021, the threat actors lured users into clicking a malicious link which led to the download of a ZIP archive containing a malicious .LNK file.1 |
Software
ID | Name | Description |
---|---|---|
S0154 | Cobalt Strike | 12 |
References
-
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. ↩↩↩↩↩↩↩↩↩↩↩