1. Home
  2. Campaigns
  3. C0021

C0021

C0021 was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. C0021's technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected APT29 activity.[1][2]

ID: C0021
First Seen:  November 2018 [2][1]
Last Seen:  November 2018 [2][1]
Version: 1.0
Created: 15 March 2023
Last Modified: 05 April 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

During C0021, the threat actors used SSL via TCP port 443 for C2 communications.[2]
Enterprise T1140 反混淆/解码文件或信息

During C0021, the threat actors deobfuscated encoded PowerShell commands including use of the specific string 'FromBase'+0x40+'String', in place of FromBase64String which is normally used to decode base64.[2][1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

During C0021, the threat actors used obfuscated PowerShell to extract an encoded payload from within an .LNK file.[2][1]
Enterprise T1584 .001 基础设施妥协: Domains

For C0021, the threat actors used legitimate but compromised domains to host malicious payloads.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

During C0021, the threat actors used HTTP for some of their C2 communications.[2]
Enterprise T1608 .001 暂存能力: Upload Malware

For C0021, the threat actors uploaded malware to websites under their control.[2][1]
Enterprise T1027 .009 混淆文件或信息: Embedded Payloads

For C0021, the threat actors embedded a base64-encoded payload within a LNK file.[1]
.010 混淆文件或信息: Command Obfuscation

During C0021, the threat actors used encoded PowerShell commands.[2][1]
Enterprise T1204 .001 用户执行: Malicious Link

During C0021, the threat actors lured users into clicking a malicious link which led to the download of a ZIP archive containing a malicious .LNK file.[2]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

During C0021, the threat actors used rundll32.exe to execute the Cobalt Strike Beacon loader DLL.[2]
Enterprise T1583 .001 获取基础设施: Domains

For C0021, the threat actors registered domains for use in C2.[2]
Enterprise T1588 .002 获取能力: Tool

For C0021, the threat actors used Cobalt Strike configured with a modified variation of the publicly available Pandora Malleable C2 Profile.[2][1]
Enterprise T1105 输入工具传输

During C0021, the threat actors downloaded additional tools and files onto victim machines.[1][2]

Enterprise T1566 .002 钓鱼: Spearphishing Link

During C0021, the threat actors sent phishing emails with unique malicious links, likely for tracking victim clicks.[2][1]
Enterprise T1095 非应用层协议

During C0021, the threat actors used TCP for some C2 communications.[2]

Software

ID Name Description
S0154 Cobalt Strike

[2][1]

References

  1. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
  1. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.