C0017
C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[1]
Groups
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.[1] |
|
| Enterprise | T1090 | 代理 |
During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic.[1] |
|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
During C0017, APT41 used |
| .005 | 伪装: Match Legitimate Name or Location |
During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[1] |
||
| Enterprise | T1190 | 利用公开应用程序漏洞 |
During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.[1] |
|
| Enterprise | T1574 | 劫持执行流 |
During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
During C0017, APT41 used |
| .007 | 命令与脚本解释器: JavaScript |
During C0017, APT41 deployed JScript web shells on compromised systems.[1] |
||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
During C0017, APT41 ran |
| Enterprise | T1560 | .003 | 归档收集数据: Archive via Custom Method |
During C0017, APT41 hex-encoded PII data prior to exfiltration.[1] |
| Enterprise | T1003 | .002 | 操作系统凭证转储: Security Account Manager |
During C0017, APT41 copied the |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
During C0017, APT41 copied the local |
| Enterprise | T1001 | .003 | 数据混淆: Protocol or Service Impersonation |
During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.[1] |
| Enterprise | T1048 | .003 | 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol |
During C0017, APT41 exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain.[1] |
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects.[1] |
| Enterprise | T1027 | 混淆文件或信息 |
During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.[1] |
|
| .002 | Software Packing |
During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
During C0017, APT41 issued |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
During C0017, APT41 used |
|
| Enterprise | T1016 | 系统网络配置发现 |
During C0017, APT41 used |
|
| Enterprise | T1102 | 网络服务 |
During C0017, APT41 used the Cloudflare services for C2 communications.[1] |
|
| .001 | Dead Drop Resolver |
During C0017, APT41 used dead drop resolvers on two separate tech community forums for their KEYPLUG Windows-version backdoor; notably APT41 updated the community forum posts frequently with new dead drop resolvers during the campaign.[1] |
||
| Enterprise | T1588 | .002 | 获取能力: Tool |
For C0017, APT41 obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato.[1] |
| Enterprise | T1134 | 访问令牌操控 |
During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local |
|
| Enterprise | T1105 | 输入工具传输 |
During C0017, APT41 downloaded malicious payloads onto compromised systems.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.[1] |
|
| Enterprise | T1567 | 通过网络服务渗出 |
During C0017, APT41 used Cloudflare services for data exfiltration.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: |
Software
| ID | Name | Description |
|---|---|---|
| S0154 | Cobalt Strike |
During C0017, APT41 used the DUSTPAN in-memory dropper to drop a Cobalt Strike BEACON backdoor onto a compromised network.[1] |
| S1052 | DEADEYE | |
| S0105 | dsquery |
During C0017, APT41 used multiple dsquery commands to enumerate various Active Directory objects within a compromised environment.[1] |
| S1051 | KEYPLUG | |
| S0002 | Mimikatz |
During C0017, APT41 used Mimikatz to execute the |
| S0097 | Ping |
During C0017, APT41 issued Ping commands to trigger DNS resolutions for data exfiltration, where the output of a reconnaissance command was prepended to subdomains within APT41's Cloudflare C2 infrastructure.[1] |