Skip to content

G0096 APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.12

Item Value
ID G0096
Associated Names WICKED PANDA
Version 3.0
Created 23 September 2019
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
WICKED PANDA 3

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.4
enterprise T1071.002 File Transfer Protocols APT41 used exploit payloads that initiate download via ftp.4
enterprise T1071.004 DNS APT41 used DNS for C2 communications.12
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility APT41 created a RAR archive of targeted files for exfiltration.1
enterprise T1197 BITS Jobs APT41 used BITSAdmin to download and install payloads.43
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT41 created and modified startup files for persistence.12 APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.4
enterprise T1110 Brute Force -
enterprise T1110.002 Password Cracking APT41 performed password brute-force attacks on the local admin account.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell APT41 leveraged PowerShell to deploy malware families in victims’ environments.14
enterprise T1059.003 Windows Command Shell APT41 used cmd.exe /c to execute commands on remote machines.1
APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.4
enterprise T1059.004 Unix Shell APT41 executed file /bin/pwd in activity exploiting CVE-2019-19781 against Citrix devices.4
enterprise T1136 Create Account -
enterprise T1136.001 Local Account APT41 created user accounts and adds them to the User and Admin groups.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service APT41 modified legitimate Windows services to install malware backdoors.12 APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.4
enterprise T1486 Data Encrypted for Impact APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.1
enterprise T1005 Data from Local System APT41 has uploaded files and data from a compromised host.2
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms APT41 has used DGAs to change their C2 servers monthly.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.008 Accessibility Features APT41 leveraged sticky keys to establish persistence.1
enterprise T1480 Execution Guardrails -
enterprise T1480.001 Environmental Keying APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system’s volume serial number.5
enterprise T1190 Exploit Public-Facing Application APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.4
enterprise T1203 Exploitation for Client Execution APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.1
enterprise T1133 External Remote Services APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.1
enterprise T1008 Fallback Channels APT41 used the Steam community page as a fallback mechanism for C2.1
enterprise T1083 File and Directory Discovery APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.4
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT.3
enterprise T1574.002 DLL Side-Loading APT41 used legitimate executables to perform DLL side-loading of their malware.1
enterprise T1574.006 Dynamic Linker Hijacking APT41 has configured payloads to load via LD_PRELOAD.3
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.1
enterprise T1070.003 Clear Command History APT41 attempted to remove evidence of some of its activity by deleting Bash histories.1
enterprise T1070.004 File Deletion APT41 deleted files from the system.1
enterprise T1105 Ingress Tool Transfer APT41 used certutil to download additional files.432
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging APT41 used a keylogger called GEARSHIFT on a target system.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service APT41 has created services to appear as benign system tools.2
enterprise T1036.005 Match Legitimate Name or Location APT41 attempted to masquerade their files as popular anti-virus software.12
enterprise T1112 Modify Registry APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.12
enterprise T1104 Multi-Stage Channels APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.4
enterprise T1046 Network Service Discovery APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.1
enterprise T1135 Network Share Discovery APT41 used the net share command as part of network reconnaissance.12
enterprise T1027 Obfuscated Files or Information APT41 used VMProtected binaries in multiple intrusions.4
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.12
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.1
enterprise T1542 Pre-OS Boot -
enterprise T1542.003 Bootkit APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.1
enterprise T1055 Process Injection APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.1
enterprise T1090 Proxy APT41 used a tool called CLASSFON to covertly proxy network communications.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol APT41 used RDP for lateral movement.13
enterprise T1021.002 SMB/Windows Admin Shares APT41 has transferred implant files using Windows Admin Shares.3
enterprise T1496 Resource Hijacking APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.1
enterprise T1014 Rootkit APT41 deployed rootkits on Linux systems.13
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task APT41 used a compromised account to create a scheduled task on a system.13
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.12
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.001 Compiled HTML File APT41 used compiled HTML (.chm) files for targeting.1
enterprise T1218.011 Rundll32 APT41 has used rundll32.exe to execute a loader.3
enterprise T1016 System Network Configuration Discovery APT41 collected MAC addresses from victim machines.12
enterprise T1049 System Network Connections Discovery APT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.12
enterprise T1033 System Owner/User Discovery APT41 used the WMIEXEC utility to execute whoami commands on remote machines.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.42
enterprise T1078 Valid Accounts APT41 used compromised credentials to log on to other systems.13
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.1
enterprise T1047 Windows Management Instrumentation APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.12

Software

ID Name References Techniques
S0073 ASPXSpy 1 Web Shell:Server Software Component
S0190 BITSAdmin - BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0069 BLACKCOFFEE - Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal on Host Multi-Stage Channels Process Discovery Bidirectional Communication:Web Service Dead Drop Resolver:Web Service
S0160 certutil - Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0020 China Chopper - Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal on Host Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0154 Cobalt Strike - Bypass User Account Control:Abuse Elevation Control Mechanism Sudo and Sudo Caching:Abuse Elevation Control Mechanism Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Domain Account:Account Discovery Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Multiband Communication Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services SSH:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0021 Derusbi - Audio Capture Unix Shell:Command and Scripting Interpreter Commonly Used Port Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery File Deletion:Indicator Removal on Host Timestomp:Indicator Removal on Host Keylogging:Input Capture Non-Application Layer Protocol Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Screen Capture Regsvr32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Video Capture
S0363 Empire - Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Shortcut Modification:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Bookmark Discovery Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Exfiltration to Code Repository:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Timestomp:Indicator Removal on Host Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Golden Ticket:Steal or Forge Kerberos Tickets Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Private Keys:Unsecured Credentials Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0095 ftp - Commonly Used Port Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0032 gh0st RAT - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal on Host File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0100 ipconfig - System Network Configuration Discovery
S0443 MESSAGETAP - Archive via Custom Method:Archive Collected Data Automated Collection Local Data Staging:Data Staged Deobfuscate/Decode Files or Information File and Directory Discovery File Deletion:Indicator Removal on Host Network Sniffing System Network Connections Discovery
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0039 Net - Domain Account:Account Discovery Local Account:Account Discovery Domain Account:Create Account Local Account:Create Account Network Share Connection Removal:Indicator Removal on Host Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104 netstat - System Network Connections Discovery
S0385 njRAT - Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal on Host Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture
S0097 Ping - Remote System Discovery
S0013 PlugX - DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Search Order Hijacking:Hijack Execution Flow DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Multiband Communication Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0194 PowerSploit - Access Token Manipulation Local Account:Account Discovery Audio Capture Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Keylogging:Input Capture Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Path Interception Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0006 pwdump - Security Account Manager:OS Credential Dumping
S0112 ROCKBOOT - Bootkit:Pre-OS Boot
S0596 ShadowPad - File Transfer Protocols:Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Non-Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Indicator Removal on Host Ingress Tool Transfer Modify Registry Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Process Injection Dynamic-link Library Injection:Process Injection Scheduled Transfer System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery
S0430 Winnti for Linux - Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Non-Application Layer Protocol Obfuscated Files or Information Rootkit Traffic Signaling
S0412 ZxShell - Create Process with Token:Access Token Manipulation Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Local Account:Create Account Windows Service:Create or Modify System Process Data from Local System Endpoint Denial of Service Exploit Public-Facing Application File and Directory Discovery Disable or Modify Tools:Impair Defenses Disable or Modify System Firewall:Impair Defenses Clear Windows Event Logs:Indicator Removal on Host File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Modify Registry Native API Network Service Discovery Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Proxy Query Registry VNC:Remote Services Remote Desktop Protocol:Remote Services Screen Capture Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery System Service Discovery Service Execution:System Services Video Capture

References

Back to top