Skip to content

C0021 C0021

C0021 was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. C0021‘s technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected APT29 activity.21

Item Value
ID C0021
Associated Names
First Seen November 2018
Last Seen November 2018
Version 1.0
Created 15 March 2023
Last Modified 05 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains For C0021, the threat actors registered domains for use in C2.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols During C0021, the threat actors used HTTP for some of their C2 communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell During C0021, the threat actors used obfuscated PowerShell to extract an encoded payload from within an .LNK file.12
enterprise T1584 Compromise Infrastructure -
enterprise T1584.001 Domains For C0021, the threat actors used legitimate but compromised domains to host malicious payloads.2
enterprise T1140 Deobfuscate/Decode Files or Information During C0021, the threat actors deobfuscated encoded PowerShell commands including use of the specific string 'FromBase'+0x40+'String', in place of FromBase64String which is normally used to decode base64.12
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography During C0021, the threat actors used SSL via TCP port 443 for C2 communications.1
enterprise T1105 Ingress Tool Transfer During C0021, the threat actors downloaded additional tools and files onto victim machines.21
enterprise T1095 Non-Application Layer Protocol During C0021, the threat actors used TCP for some C2 communications.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.009 Embedded Payloads For C0021, the threat actors embedded a base64-encoded payload within a LNK file.2
enterprise T1027.010 Command Obfuscation During C0021, the threat actors used encoded PowerShell commands.12
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool For C0021, the threat actors used Cobalt Strike configured with a modified variation of the publicly available Pandora Malleable C2 Profile.12
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link During C0021, the threat actors sent phishing emails with unique malicious links, likely for tracking victim clicks.12
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware For C0021, the threat actors uploaded malware to websites under their control.12
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 During C0021, the threat actors used rundll32.exe to execute the Cobalt Strike Beacon loader DLL.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link During C0021, the threat actors lured users into clicking a malicious link which led to the download of a ZIP archive containing a malicious .LNK file.1

Software

ID Name Description
S0154 Cobalt Strike 12

References

  1. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  2. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.