APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
Groups
| ID | Name | Description |
|---|---|---|
| G0096 | APT41 |
APT41 DUST was conducted by APT41 from 2023 to July 2024.[1] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1213 | 从信息存储库获取数据 |
APT41 DUST collected data from victim Oracle databases using SQLULDR2.[1] |
|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
APT41 DUST disguised DUSTPAN as a legitimate Windows binary such as |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
APT41 DUST used Windows Services with names such as |
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
APT41 DUST used HTTPS for command and control.[1] |
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
APT41 DUST involved the use of DLL search order hijacking to execute DUSTTRAP.[1] |
| .002 | 劫持执行流: DLL Side-Loading |
APT41 DUST used DLL side-loading to execute DUSTTRAP via an AhnLab uninstaller.[1] |
||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
APT41 DUST used HTTPS for command and control.[1] |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
APT41 DUST used |
| Enterprise | T1594 | 搜索受害者拥有的网站 |
APT41 DUST involved access of external victim websites for target development.[1] |
|
| Enterprise | T1596 | .005 | 搜索开放技术数据库: Scan Databases |
APT41 DUST used internet scan data for target development.[1] |
| Enterprise | T1593 | .002 | 搜索开放网站/域: Search Engines |
APT41 DUST involved use of search engines to research victim servers.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
APT41 DUST involved exporting data from Oracle databases to local CSV files prior to exfiltration.[1] |
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
APT41 DUST involved use of web shells such as ANTSWORD and BLUEBEAM for persistence.[1] |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
APT41 DUST used encrypted payloads decrypted and executed in memory.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
APT41 DUST deleted various artifacts from victim systems following use.[1] |
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
APT41 DUST used Windows services to execute DUSTPAN.[1] |
| Enterprise | T1102 | 网络服务 |
APT41 DUST used compromised Google Workspace accounts for command and control.[1] |
|
| Enterprise | T1119 | 自动化收集 |
APT41 DUST used tools such as SQLULDR2 and PINEGROVE to gather local system and database information.[1] |
|
| Enterprise | T1583 | .007 | 获取基础设施: Serverless |
APT41 DUST used infrastructure hosted behind Cloudflare or utilized Cloudflare Workers for command and control.[1] |
| Enterprise | T1588 | .003 | 获取能力: Code Signing Certificates |
APT41 DUST used stolen code signing certificates to sign DUSTTRAP malware and components.[1] |
| Enterprise | T1586 | .003 | 账号妥协: Cloud Accounts |
APT41 DUST used compromised Google Workspace accounts for command and control.[1] |
| Enterprise | T1105 | 输入工具传输 |
APT41 DUST involved execution of |
|
| Enterprise | T1567 | .002 | 通过网络服务渗出: Exfiltration to Cloud Storage |
APT41 DUST exfiltrated collected information to OneDrive.[1] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
APT41 DUST used stolen code signing certificates for DUSTTRAP malware and subsequent payloads.[1] |
Software
| ID | Name | Description |
|---|---|---|
| S0160 | certutil |
APT41 DUST used certutil to load and execute DUSTPAN.[1] |
| S0154 | Cobalt Strike |
Cobalt Strike was used during APT41 DUST.[1] |
| S1158 | DUSTPAN |
DUSTPAN was used during APT41 DUST.[1] |
| S1159 | DUSTTRAP |
DUSTTRAP was used during APT41 DUST.[1] |