S1052 DEADEYE
DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).1
| Item | Value |
|---|---|
| ID | S1052 |
| Associated Names | DEADEYE.EMBED, DEADEYE.APPEND |
| Type | MALWARE |
| Version | 1.0 |
| Created | 20 December 2022 |
| Last Modified | 07 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| DEADEYE.EMBED | 1 |
| DEADEYE.APPEND | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | DEADEYE can run cmd /c copy /y /b C:\Users\public\syslog_6-*.dat C:\Users\public\syslog.dll to combine separated sections of code into a single DLL prior to execution.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | DEADEYE has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution.1 |
| enterprise | T1480 | Execution Guardrails | DEADEYE can ensure it executes only on intended systems by identifying the victim’s volume serial number, hostname, and/or DNS domain.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.004 | NTFS File Attributes | The DEADEYE.EMBED variant of DEADEYE can embed its payload in an alternate data stream of a local file.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | DEADEYE has used schtasks /change to modify scheduled tasks including \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared.1 |
| enterprise | T1106 | Native API | DEADEYE can execute the GetComputerNameA and GetComputerNameExA WinAPI functions.1 |
| enterprise | T1027 | Obfuscated Files or Information | DEADEYE has encrypted its payload.1 |
| enterprise | T1027.009 | Embedded Payloads | |
| The DEADEYE.EMBED variant of DEADEYE has the ability to embed payloads inside of a compiled binary.1 | |||
| enterprise | T1053 | Scheduled Task/Job | DEADEYE has used the scheduled tasks \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared |
| to establish persistence.1 | |||
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | DEADEYE can use msiexec.exe for execution of malicious DLL.1 |
| enterprise | T1218.011 | Rundll32 | DEADEYE can use rundll32.exe for execution of living off the land binaries (lolbin) such as SHELL32.DLL.1 |
| enterprise | T1082 | System Information Discovery | DEADEYE can enumerate a victim computer’s volume serial number and host name.1 |
| enterprise | T1016 | System Network Configuration Discovery | DEADEYE can discover the DNS domain name of a targeted system.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0096 | APT41 | 1 |