S0682 TrailBlazer
TrailBlazer is a modular malware that has been used by APT29 since at least 2019.1
| Item | Value |
|---|---|
| ID | S0682 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 08 February 2022 |
| Last Modified | 27 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | TrailBlazer has used HTTP requests for C2.1 |
| enterprise | T1001 | Data Obfuscation | TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests.1 |
| enterprise | T1001.001 | Junk Data | TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.003 | Windows Management Instrumentation Event Subscription | TrailBlazer has the ability to use WMI for persistence.1 |
| enterprise | T1036 | Masquerading | TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 1342 |
References
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩↩↩↩↩↩↩
-
Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023. ↩
-
NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. ↩
-
UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021. ↩