Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа APT41
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT41
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
ID: G0096
Associated Groups: Wicked Panda, Brass Typhoon, BARIUM
Version: 4.1
Created: 23 Sep 2019
Last Modified: 10 Oct 2024

Associated Group Descriptions
Name Description
Wicked Panda (Citation: Crowdstrike GTR2020 Mar 2020)
Brass Typhoon (Citation: Microsoft Threat Actor Naming July 2023)
BARIUM (Citation: Microsoft Threat Actor Naming July 2023)

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

APT41 used built-in net commands to enumerate local administrator groups.(Citation: Rostovcev APT41 2021)
.002 Account Discovery: Domain Account

APT41 used built-in net commands to enumerate domain administrator users.(Citation: Rostovcev APT41 2021)

Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

APT41 has added user accounts to the User and Admin groups.(Citation: FireEye APT41 Aug 2019)

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

APT41 used the Acunetix SQL injection vulnerability scanner in target reconnaissance operations, as well as the JexBoss tool to identify vulnerabilities in Java applications.(Citation: Rostovcev APT41 2021)
.003 Active Scanning: Wordlist Scanning

APT41 leverages various tools and frameworks to brute-force directories on web servers.(Citation: Rostovcev APT41 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.(Citation: FireEye APT41 March 2020)

.002 Application Layer Protocol: File Transfer Protocols

APT41 used exploit payloads that initiate download via ftp.(Citation: FireEye APT41 March 2020)

.004 Application Layer Protocol: DNS

APT41 used DNS for C2 communications.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT41 created a RAR archive of targeted files for exfiltration.(Citation: FireEye APT41 Aug 2019) Additionally, APT41 used the makecab.exe utility to both download tools, such as NATBypass, to the victim network and to archive a file for exfiltration.(Citation: apt41_dcsocytec_dec2022)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT41 created and modified startup files for persistence.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT41 leveraged PowerShell to deploy malware families in victims’ environments.(Citation: FireEye APT41 Aug 2019)(Citation: FireEye APT41 March 2020)
.003 Command and Scripting Interpreter: Windows Command Shell

APT41 used cmd.exe /c to execute commands on remote machines.(Citation: FireEye APT41 Aug 2019) APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.(Citation: FireEye APT41 March 2020)

.004 Command and Scripting Interpreter: Unix Shell

APT41 used Linux shell commands for system survey and information gathering prior to exploitation of vulnerabilities such as CVE-2019-19871.(Citation: FireEye APT41 March 2020)

Enterprise T1136 .001 Create Account: Local Account

APT41 has created user accounts.(Citation: FireEye APT41 Aug 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT41 modified legitimate Windows services to install malware backdoors.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

APT41 used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.(Citation: Rostovcev APT41 2021)
Enterprise T1213 .003 Data from Information Repositories: Code Repositories

APT41 cloned victim user Git repositories during intrusions.(Citation: Rostovcev APT41 2021)
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

APT41 used scheduled tasks created via Group Policy Objects (GPOs) to deploy ransomware.(Citation: apt41_mandiant)
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

APT41 has used DGAs to change their C2 servers monthly.(Citation: FireEye APT41 Aug 2019)
Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

APT41 leveraged sticky keys to establish persistence.(Citation: FireEye APT41 Aug 2019)

Enterprise T1480 .001 Execution Guardrails: Environmental Keying

APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.(Citation: Twitter ItsReallyNick APT41 EK)
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

APT41 has used search order hijacking to execute malicious payloads, such as Winnti for Windows.(Citation: Crowdstrike GTR2020 Mar 2020)
.002 Hijack Execution Flow: DLL Side-Loading

APT41 used legitimate executables to perform DLL side-loading of their malware.(Citation: FireEye APT41 Aug 2019)

.006 Hijack Execution Flow: Dynamic Linker Hijacking

APT41 has configured payloads to load via LD_PRELOAD.(Citation: Crowdstrike GTR2020 Mar 2020)

Enterprise T1562 .006 Impair Defenses: Indicator Blocking

APT41 developed a custom injector that enables an Event Tracing for Windows (ETW) bypass, making malicious processes invisible to Windows logging.(Citation: Rostovcev APT41 2021)
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.(Citation: FireEye APT41 Aug 2019)
.003 Indicator Removal: Clear Command History

APT41 attempted to remove evidence of some of its activity by deleting Bash histories.(Citation: FireEye APT41 Aug 2019)

.004 Indicator Removal: File Deletion

APT41 deleted files from the system.(Citation: FireEye APT41 Aug 2019)(Citation: Rostovcev APT41 2021)

Enterprise T1056 .001 Input Capture: Keylogging

APT41 used a keylogger called GEARSHIFT on a target system.(Citation: FireEye APT41 Aug 2019)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

APT41 has created services to appear as benign system tools.(Citation: Group IB APT 41 June 2021)
.005 Masquerading: Match Legitimate Name or Location

APT41 attempted to masquerade their files as popular anti-virus software.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT41 has used hashdump, Mimikatz, Procdump, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)(Citation: apt41_dcsocytec_dec2022)
.002 OS Credential Dumping: Security Account Manager

APT41 extracted user account data from the Security Account Managerr (SAM), making a copy of this database from the registry using the reg save command or by exploiting volume shadow copies.(Citation: Rostovcev APT41 2021)

.003 OS Credential Dumping: NTDS

APT41 used ntdsutil to obtain a copy of the victim environment ntds.dit file.(Citation: Rostovcev APT41 2021)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

APT41 uses packers such as Themida to obfuscate malicious files.(Citation: Rostovcev APT41 2021)
Enterprise T1588 .002 Obtain Capabilities: Tool

APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.(Citation: FireEye APT41 Aug 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.(Citation: FireEye APT41 Aug 2019)
Enterprise T1542 .003 Pre-OS Boot: Bootkit

APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.(Citation: FireEye APT41 Aug 2019)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT41 used RDP for lateral movement.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020) APT41 used NATBypass to expose local RDP ports on compromised systems to the Internet.(Citation: apt41_dcsocytec_dec2022)

.002 Remote Services: SMB/Windows Admin Shares

APT41 has transferred implant files using Windows Admin Shares and the Server Message Block (SMB) protocol, then executes files through Windows Management Instrumentation (WMI).(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: apt41_dcsocytec_dec2022)

Enterprise T1496 .001 Resource Hijacking: Compute Hijacking

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.(Citation: FireEye APT41 Aug 2019)(Citation: apt41_mandiant)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT41 used a compromised account to create a scheduled task on a system.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
Enterprise T1596 .005 Search Open Technical Databases: Scan Databases

APT41 uses the Chinese website fofa.su, similar to the Shodan scanning service, for passive scanning of victims.(Citation: Rostovcev APT41 2021)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.(Citation: FireEye APT41 Aug 2019)
Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

APT41 used compiled HTML (.chm) files for targeting.(Citation: FireEye APT41 Aug 2019)

.011 System Binary Proxy Execution: Rundll32

APT41 has used rundll32.exe to execute a loader.(Citation: Crowdstrike GTR2020 Mar 2020)

Enterprise T1569 .002 System Services: Service Execution

APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.(Citation: FireEye APT41 March 2020)(Citation: Group IB APT 41 June 2021)
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

APT41 uses tools such as Mimikatz to enable lateral movement via captured password hashes.(Citation: Rostovcev APT41 2021)
Enterprise T1102 .001 Web Service: Dead Drop Resolver

APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.(Citation: FireEye APT41 Aug 2019)

Software
ID Name References Techniques
S0039 Net (Citation: FireEye APT41 Aug 2019) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S0160 certutil (Citation: FireEye APT41 March 2020) (Citation: TechNet Certutil) Archive via Utility, Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0194 PowerSploit (Citation: FireEye APT41 Aug 2019) (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Path Interception by PATH Environment Variable, Keylogging, Reflective Code Loading, Credentials in Registry, Indicator Removal from Tools, Audio Capture, Windows Management Instrumentation, Path Interception by Unquoted Path, Query Registry, Data from Local System, Group Policy Preferences, Path Interception, Dynamic-link Library Injection, Command Obfuscation, Access Token Manipulation, Windows Service, Screen Capture, Registry Run Keys / Startup Folder, Scheduled Task, DLL Search Order Hijacking, Path Interception by Search Order Hijacking, Kerberoasting, Local Account, Security Support Provider, Process Discovery, Windows Credential Manager, PowerShell, Domain Trust Discovery, LSASS Memory
S0357 Impacket (Citation: apt41_dcsocytec_dec2022) (Citation: Impacket Tools) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets
S0100 ipconfig (Citation: Group IB APT 41 June 2021) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S1159 DUSTTRAP (Citation: Google Cloud APT41 2024) Domain Account, Query Registry, Group Policy Discovery, Process Injection, Keylogging, Indicator Removal, Encrypted/Encoded File, Process Discovery, Local Account, Screen Capture, Security Software Discovery, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, File and Directory Discovery, Data from Local System, System Network Configuration Discovery, Windows Command Shell, Clear Windows Event Logs, Application Window Discovery, Network Share Connection Removal, Exfiltration Over C2 Channel, System Time Discovery, Domain Trust Discovery, System Information Discovery, Embedded Payloads, Remote System Discovery, Log Enumeration, System Checks, Network Share Discovery
S0363 Empire (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Command Obfuscation, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Information Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S1158 DUSTPAN (Citation: Google Cloud APT41 2022) (Citation: Google Cloud APT41 2024) Match Legitimate Name or Location, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Portable Executable Injection, Embedded Payloads, Windows Service
S0105 dsquery (Citation: Mandiant APT41) (Citation: TechNet Dsquery) Domain Account, Domain Trust Discovery, Domain Groups, System Information Discovery
S0104 netstat (Citation: FireEye APT41 Aug 2019) (Citation: TechNet Netstat) System Network Connections Discovery
S0073 ASPXSpy (Citation: Dell TG-3390) (Citation: FireEye APT41 Aug 2019) Web Shell
S0020 China Chopper (Citation: apt41_dcsocytec_dec2022) (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) (Citation: Rapid7 HAFNIUM Mar 2021) Password Guessing, Data from Local System, Software Packing, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Network Service Discovery, Timestomp, Web Shell, File and Directory Discovery
S0190 BITSAdmin (Citation: FireEye APT41 March 2020) (Citation: Microsoft BITSAdmin) Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, BITS Jobs
S0013 PlugX (Citation: apt41_mandiant) (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: Thoper) (Citation: TVT) Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S1051 KEYPLUG (Citation: KEYPLUG.LINUX) (Citation: Mandiant APT41) Web Protocols, System Time Discovery, Dead Drop Resolver, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Asymmetric Cryptography, Proxy, Non-Application Layer Protocol
S0430 Winnti for Linux (Citation: Chronicle Winnti for Linux May 2019) (Citation: Crowdstrike GTR2020 Mar 2020) Web Protocols, Non-Application Layer Protocol, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Traffic Signaling, Encrypted/Encoded File, Ingress Tool Transfer, Rootkit
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) Shared Modules, Modify Registry, Ingress Tool Transfer, Process Injection, Rundll32, Service Execution, DLL Side-Loading, Command and Scripting Interpreter, Query Registry, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Non-Application Layer Protocol, Native API, Process Discovery, Windows Service, Registry Run Keys / Startup Folder, Clear Windows Event Logs, System Information Discovery, File Deletion, Screen Capture, Fast Flux DNS, Keylogging, Standard Encoding, Encrypted Channel
S0021 Derusbi (Citation: Fidelis Turbo) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Periscope March 2018) (Citation: Novetta-Axiom) (Citation: PHOTO) (Citation: ThreatConnect Anthem) Keylogging, Unix Shell, Regsvr32, System Information Discovery, Timestomp, Dynamic-link Library Injection, Custom Command and Control Protocol, File Deletion, Non-Standard Port, Symmetric Cryptography, System Owner/User Discovery, Audio Capture, File and Directory Discovery, Commonly Used Port, Fallback Channels, Non-Application Layer Protocol, Screen Capture, Video Capture, Process Discovery, Query Registry
S0225 sqlmap (Citation: Rostovcev APT41 2021) (Citation: sqlmap Introduction) Exploit Public-Facing Application
S0443 MESSAGETAP (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: FireEye MESSAGETAP October 2019) File Deletion, Network Sniffing, Deobfuscate/Decode Files or Information, Local Data Staging, System Network Connections Discovery, Archive via Custom Method, Automated Collection, File and Directory Discovery
S0006 pwdump (Citation: FireEye APT41 Aug 2019) (Citation: Wikipedia pwdump) Security Account Manager
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: FireEye APT41 March 2020) (Citation: Group IB APT 41 June 2021) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: FireEye APT41 Aug 2019) (Citation: Group IB APT 41 June 2021) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0097 Ping (Citation: FireEye APT41 Aug 2019) (Citation: Group IB APT 41 June 2021) (Citation: TechNet Ping) Remote System Discovery
S0112 ROCKBOOT (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Bootkits) Bootkit
S0095 ftp (Citation: FireEye APT41 March 2020) (Citation: Linux FTP) (Citation: Microsoft FTP) Commonly Used Port, Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer
S0412 ZxShell (Citation: FireEye APT41 Aug 2019) (Citation: Sensocode) (Citation: Talos ZxShell Oct 2014) VNC, System Information Discovery, Commonly Used Port, Proxy, Web Protocols, Non-Standard Port, Uncommonly Used Port, Credential API Hooking, File and Directory Discovery, Screen Capture, Query Registry, Data from Local System, System Owner/User Discovery, Exploit Public-Facing Application, Process Discovery, Network Service Discovery, Modify Registry, Clear Windows Event Logs, File Deletion, Disable or Modify System Firewall, Windows Service, File Transfer Protocols, Dynamic-link Library Injection, Windows Command Shell, Remote Desktop Protocol, Create Process with Token, Video Capture, Rundll32, Disable or Modify Tools, Local Account, Endpoint Denial of Service, Native API, Service Execution, Keylogging, System Service Discovery, Ingress Tool Transfer
S0069 BLACKCOFFEE (Citation: FireEye APT17) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Periscope March 2018) File and Directory Discovery, Multi-Stage Channels, Windows Command Shell, Process Discovery, Dead Drop Resolver, File Deletion, Bidirectional Communication
S0385 njRAT (Citation: Bladabindi) (Citation: Fidelis njRAT June 2013) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Trend Micro njRAT 2018) System Information Discovery, Credentials from Web Browsers, Application Window Discovery, Ingress Tool Transfer, File and Directory Discovery, Query Registry, Peripheral Device Discovery, Video Capture, Screen Capture, Native API, Remote System Discovery, File Deletion, PowerShell, Disable or Modify System Firewall, Encrypted/Encoded File, Standard Encoding, Compile After Delivery, Non-Standard Port, Replication Through Removable Media, System Owner/User Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Uncommonly Used Port, Custom Command and Control Protocol, Keylogging, Web Protocols, Clear Persistence, Modify Registry, Exfiltration Over C2 Channel, Process Discovery, Fast Flux DNS, Indicator Removal, Windows Command Shell, Data from Local System
S0596 ShadowPad (Citation: FireEye APT41 Aug 2019) (Citation: Kaspersky ShadowPad Aug 2017) (Citation: POISONPLUG.SHADOW) (Citation: Recorded Future RedEcho Feb 2021) (Citation: Securelist ShadowPad Aug 2017) System Owner/User Discovery, Modify Registry, System Time Discovery, Indicator Removal, Deobfuscate/Decode Files or Information, Fileless Storage, Indicator Removal, System Network Configuration Discovery, Scheduled Transfer, Process Discovery, DNS, Non-Standard Encoding, File Transfer Protocols, Non-Application Layer Protocol, Obfuscated Files or Information, Web Protocols, Process Injection, System Information Discovery, Domain Generation Algorithms, Ingress Tool Transfer, Dynamic-link Library Injection

References

  1. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  2. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  3. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  4. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  5. Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.
  6. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
  7. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  8. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  9. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  10. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024.
  11. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.
  12. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  13. FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.
  14. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.