Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа APT41
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT41
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
ID: G0096
Associated Groups: BARIUM, Brass Typhoon, Wicked Panda
Version: 4.1
Created: 23 Sep 2019
Last Modified: 22 Apr 2025

Associated Group Descriptions
Name Description
BARIUM (Citation: Microsoft Threat Actor Naming July 2023)
Brass Typhoon (Citation: Microsoft Threat Actor Naming July 2023)
Wicked Panda (Citation: Crowdstrike GTR2020 Mar 2020)

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

APT41 used built-in net commands to enumerate local administrator groups.(Citation: Rostovcev APT41 2021)
.002 Account Discovery: Domain Account

APT41 used built-in net commands to enumerate domain administrator users.(Citation: Rostovcev APT41 2021)

Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

APT41 has added user accounts to the User and Admin groups.(Citation: FireEye APT41 Aug 2019)

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

APT41 used the Acunetix SQL injection vulnerability scanner in target reconnaissance operations, as well as the JexBoss tool to identify vulnerabilities in Java applications.(Citation: Rostovcev APT41 2021)
.003 Active Scanning: Wordlist Scanning

APT41 leverages various tools and frameworks to brute-force directories on web servers.(Citation: Rostovcev APT41 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.(Citation: FireEye APT41 March 2020)

.002 Application Layer Protocol: File Transfer Protocols

APT41 used exploit payloads that initiate download via ftp.(Citation: FireEye APT41 March 2020)

.004 Application Layer Protocol: DNS

APT41 used DNS for C2 communications.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT41 created a RAR archive of targeted files for exfiltration.(Citation: FireEye APT41 Aug 2019) Additionally, APT41 used the makecab.exe utility to both download tools, such as NATBypass, to the victim network and to archive a file for exfiltration.(Citation: apt41_dcsocytec_dec2022)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT41 created and modified startup files for persistence.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT41 leveraged PowerShell to deploy malware families in victims’ environments.(Citation: FireEye APT41 Aug 2019)(Citation: FireEye APT41 March 2020)
.003 Command and Scripting Interpreter: Windows Command Shell

APT41 used cmd.exe /c to execute commands on remote machines.(Citation: FireEye APT41 Aug 2019) APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.(Citation: FireEye APT41 March 2020)

.004 Command and Scripting Interpreter: Unix Shell

APT41 used Linux shell commands for system survey and information gathering prior to exploitation of vulnerabilities such as CVE-2019-19871.(Citation: FireEye APT41 March 2020)

Enterprise T1136 .001 Create Account: Local Account

APT41 has created user accounts.(Citation: FireEye APT41 Aug 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT41 modified legitimate Windows services to install malware backdoors.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.(Citation: FireEye APT41 March 2020)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

APT41 used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.(Citation: Rostovcev APT41 2021)
Enterprise T1213 .003 Data from Information Repositories: Code Repositories

APT41 cloned victim user Git repositories during intrusions.(Citation: Rostovcev APT41 2021)
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

APT41 used scheduled tasks created via Group Policy Objects (GPOs) to deploy ransomware.(Citation: apt41_mandiant)
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

APT41 has used DGAs to change their C2 servers monthly.(Citation: FireEye APT41 Aug 2019)
Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

APT41 leveraged sticky keys to establish persistence.(Citation: FireEye APT41 Aug 2019)

Enterprise T1480 .001 Execution Guardrails: Environmental Keying

APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.(Citation: Twitter ItsReallyNick APT41 EK)
Enterprise T1574 .001 Hijack Execution Flow: DLL

APT41 has used search order hijacking to execute malicious payloads, such as Winnti for Windows.(Citation: Crowdstrike GTR2020 Mar 2020) APT41 has also used legitimate executables to perform DLL side-loading of their malware.(Citation: FireEye APT41 Aug 2019)

.002 Hijack Execution Flow: DLL Side-Loading

APT41 used legitimate executables to perform DLL side-loading of their malware.(Citation: FireEye APT41 Aug 2019)

.006 Hijack Execution Flow: Dynamic Linker Hijacking

APT41 has configured payloads to load via LD_PRELOAD.(Citation: Crowdstrike GTR2020 Mar 2020)

Enterprise T1562 .006 Impair Defenses: Indicator Blocking

APT41 developed a custom injector that enables an Event Tracing for Windows (ETW) bypass, making malicious processes invisible to Windows logging.(Citation: Rostovcev APT41 2021)
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.(Citation: FireEye APT41 Aug 2019)
.003 Indicator Removal: Clear Command History

APT41 attempted to remove evidence of some of its activity by deleting Bash histories.(Citation: FireEye APT41 Aug 2019)

.004 Indicator Removal: File Deletion

APT41 deleted files from the system.(Citation: FireEye APT41 Aug 2019)(Citation: Rostovcev APT41 2021)

Enterprise T1056 .001 Input Capture: Keylogging

APT41 used a keylogger called GEARSHIFT on a target system.(Citation: FireEye APT41 Aug 2019)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

APT41 has created services to appear as benign system tools.(Citation: Group IB APT 41 June 2021)
.005 Masquerading: Match Legitimate Resource Name or Location

APT41 attempted to masquerade their files as popular anti-virus software.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT41 has used hashdump, Mimikatz, Procdump, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)(Citation: apt41_dcsocytec_dec2022)
.002 OS Credential Dumping: Security Account Manager

APT41 extracted user account data from the Security Account Managerr (SAM), making a copy of this database from the registry using the reg save command or by exploiting volume shadow copies.(Citation: Rostovcev APT41 2021)

.003 OS Credential Dumping: NTDS

APT41 used ntdsutil to obtain a copy of the victim environment ntds.dit file.(Citation: Rostovcev APT41 2021)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

APT41 uses packers such as Themida to obfuscate malicious files.(Citation: Rostovcev APT41 2021)
Enterprise T1588 .002 Obtain Capabilities: Tool

APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.(Citation: FireEye APT41 Aug 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.(Citation: FireEye APT41 Aug 2019)
Enterprise T1542 .003 Pre-OS Boot: Bootkit

APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.(Citation: FireEye APT41 Aug 2019)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT41 used RDP for lateral movement.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020) APT41 used NATBypass to expose local RDP ports on compromised systems to the Internet.(Citation: apt41_dcsocytec_dec2022)

.002 Remote Services: SMB/Windows Admin Shares

APT41 has transferred implant files using Windows Admin Shares and the Server Message Block (SMB) protocol, then executes files through Windows Management Instrumentation (WMI).(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: apt41_dcsocytec_dec2022)

Enterprise T1496 .001 Resource Hijacking: Compute Hijacking

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.(Citation: FireEye APT41 Aug 2019)(Citation: apt41_mandiant)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT41 used a compromised account to create a scheduled task on a system.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
Enterprise T1596 .005 Search Open Technical Databases: Scan Databases

APT41 uses the Chinese website fofa.su, similar to the Shodan scanning service, for passive scanning of victims.(Citation: Rostovcev APT41 2021)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.(Citation: FireEye APT41 Aug 2019)
Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

APT41 used compiled HTML (.chm) files for targeting.(Citation: FireEye APT41 Aug 2019)

.011 System Binary Proxy Execution: Rundll32

APT41 has used rundll32.exe to execute a loader.(Citation: Crowdstrike GTR2020 Mar 2020)

Enterprise T1569 .002 System Services: Service Execution

APT41 used svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.(Citation: FireEye APT41 March 2020)(Citation: Group IB APT 41 June 2021)
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

APT41 uses tools such as Mimikatz to enable lateral movement via captured password hashes.(Citation: Rostovcev APT41 2021)
Enterprise T1102 .001 Web Service: Dead Drop Resolver

APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.(Citation: FireEye APT41 Aug 2019)

Software
ID Name References Techniques
S0039 Net (Citation: FireEye APT41 Aug 2019) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0160 certutil (Citation: FireEye APT41 March 2020) (Citation: TechNet Certutil) Archive via Utility, Deobfuscate/Decode Files or Information, Install Root Certificate, Ingress Tool Transfer
S0194 PowerSploit (Citation: FireEye APT41 Aug 2019) (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Scheduled Task, Windows Management Instrumentation, Screen Capture, Keylogging, Path Interception by PATH Environment Variable, Audio Capture, Local Account, Windows Service, DLL, Credentials in Registry, Data from Local System, Reflective Code Loading, Security Support Provider, Path Interception by Search Order Hijacking, LSASS Memory, Domain Trust Discovery, Group Policy Preferences, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Indicator Removal from Tools, Path Interception by Unquoted Path, Query Registry, Path Interception, Windows Credential Manager, Command Obfuscation, Access Token Manipulation, Kerberoasting, Dynamic-link Library Injection
S0357 Impacket (Citation: Impacket Tools) (Citation: apt41_dcsocytec_dec2022) Windows Management Instrumentation, Security Account Manager, LSA Secrets, Network Sniffing, Ccache Files, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Lateral Tool Transfer, NTDS, Service Execution, Kerberoasting
S0100 ipconfig (Citation: Group IB APT 41 June 2021) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S1159 DUSTTRAP (Citation: Google Cloud APT41 2024) Screen Capture, Embedded Payloads, Keylogging, Encrypted/Encoded File, Group Policy Discovery, Domain Account, Local Account, System Checks, Network Share Discovery, System Information Discovery, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Application Window Discovery, Clear Windows Event Logs, System Network Configuration Discovery, Domain Trust Discovery, Indicator Removal, File and Directory Discovery, Log Enumeration, Process Discovery, Exfiltration Over C2 Channel, Network Share Connection Removal, Query Registry, Security Software Discovery, Windows Command Shell, Remote System Discovery, Ingress Tool Transfer, System Time Discovery
S0363 Empire (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking
S1158 DUSTPAN (Citation: Google Cloud APT41 2022) (Citation: Google Cloud APT41 2024) Embedded Payloads, Encrypted/Encoded File, Match Legitimate Resource Name or Location, Windows Service, Deobfuscate/Decode Files or Information, Portable Executable Injection
S0105 dsquery (Citation: Mandiant APT41) (Citation: TechNet Dsquery) Domain Account, Domain Groups, System Information Discovery, Domain Trust Discovery
S0104 netstat (Citation: FireEye APT41 Aug 2019) (Citation: TechNet Netstat) System Network Connections Discovery
S0073 ASPXSpy (Citation: Dell TG-3390) (Citation: FireEye APT41 Aug 2019) Web Shell
S0020 China Chopper (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) (Citation: Rapid7 HAFNIUM Mar 2021) (Citation: apt41_dcsocytec_dec2022) Password Guessing, Data from Local System, Timestomp, Web Shell, File and Directory Discovery, Windows Command Shell, Software Packing, Web Protocols, Network Service Discovery, Ingress Tool Transfer
S1185 LightSpy (Citation: MelikovBlackBerry LightSpy 2024) Screen Capture, Shared Modules, Encrypted/Encoded File, Audio Capture, Keychain, System Information Discovery, Binary Padding, Browser Information Discovery, File and Directory Discovery, Execution Guardrails, Process Discovery, Exfiltration Over C2 Channel, Web Protocols, Network Service Discovery, Software Discovery, Ingress Tool Transfer
S0190 BITSAdmin (Citation: FireEye APT41 March 2020) (Citation: Microsoft BITSAdmin) Lateral Tool Transfer, BITS Jobs, Ingress Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: TVT) (Citation: Thoper) (Citation: apt41_mandiant) Screen Capture, Keylogging, DNS, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Checks, DLL, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall, Modify Registry, File and Directory Discovery, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Multiband Communication, Registry Run Keys / Startup Folder, Non-Standard Port, Obfuscated Files or Information, Non-Application Layer Protocol, Query Registry, MSBuild, Windows Command Shell, Web Protocols, DLL Side-Loading, Ingress Tool Transfer, Hidden Files and Directories, Custom Command and Control Protocol, Dead Drop Resolver, Commonly Used Port
S1051 KEYPLUG (Citation: KEYPLUG.LINUX) (Citation: Mandiant APT41) Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Proxy, Asymmetric Cryptography, Non-Application Layer Protocol, Web Protocols, System Time Discovery, Dead Drop Resolver
S0430 Winnti for Linux (Citation: Chronicle Winnti for Linux May 2019) (Citation: Crowdstrike GTR2020 Mar 2020) Encrypted/Encoded File, Rootkit, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Traffic Signaling, Non-Application Layer Protocol, Web Protocols, Ingress Tool Transfer
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) Screen Capture, Rundll32, Standard Encoding, Keylogging, Shared Modules, Symmetric Cryptography, Windows Service, Fast Flux DNS, DLL, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Process Injection, Modify Registry, Clear Windows Event Logs, Command and Scripting Interpreter, Process Discovery, Registry Run Keys / Startup Folder, Encrypted Channel, Non-Application Layer Protocol, Query Registry, File Deletion, Ingress Tool Transfer, Service Execution
S0021 Derusbi (Citation: Fidelis Turbo) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Periscope March 2018) (Citation: Novetta-Axiom) (Citation: PHOTO) (Citation: ThreatConnect Anthem) Screen Capture, System Owner/User Discovery, Keylogging, Audio Capture, Symmetric Cryptography, System Information Discovery, Timestomp, Video Capture, File and Directory Discovery, Process Discovery, Unix Shell, Non-Standard Port, Regsvr32, Non-Application Layer Protocol, Query Registry, File Deletion, Fallback Channels, Dynamic-link Library Injection, Custom Command and Control Protocol, Commonly Used Port
S0225 sqlmap (Citation: Rostovcev APT41 2021) (Citation: sqlmap Introduction) Exploit Public-Facing Application
S0443 MESSAGETAP (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: FireEye MESSAGETAP October 2019) Archive via Custom Method, Local Data Staging, Automated Collection, Network Sniffing, Deobfuscate/Decode Files or Information, File and Directory Discovery, System Network Connections Discovery, File Deletion
S0006 pwdump (Citation: FireEye APT41 Aug 2019) (Citation: Wikipedia pwdump) Security Account Manager
S0154 Cobalt Strike (Citation: FireEye APT41 March 2020) (Citation: Group IB APT 41 June 2021) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0154 Cobalt Strike (Citation: FireEye APT41 March 2020) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: FireEye APT41 Aug 2019) (Citation: Group IB APT 41 June 2021) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0097 Ping (Citation: FireEye APT41 Aug 2019) (Citation: Group IB APT 41 June 2021) (Citation: TechNet Ping) Remote System Discovery
S0112 ROCKBOOT (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Bootkits) Bootkit
S0095 ftp (Citation: FireEye APT41 March 2020) (Citation: Linux FTP) (Citation: Microsoft FTP) Lateral Tool Transfer, Ingress Tool Transfer, Commonly Used Port, Exfiltration Over Unencrypted Non-C2 Protocol
S0412 ZxShell (Citation: FireEye APT41 Aug 2019) (Citation: Sensocode) (Citation: Talos ZxShell Oct 2014) VNC, Screen Capture, System Owner/User Discovery, Rundll32, Keylogging, Windows Service, System Service Discovery, System Information Discovery, Native API, Data from Local System, Exploit Public-Facing Application, Disable or Modify System Firewall, Modify Registry, Local Account, Clear Windows Event Logs, Create Process with Token, Video Capture, Proxy, File and Directory Discovery, Process Discovery, File Transfer Protocols, Disable or Modify Tools, Non-Standard Port, Query Registry, Endpoint Denial of Service, Uncommonly Used Port, Windows Command Shell, File Deletion, Web Protocols, Network Service Discovery, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Credential API Hooking, Commonly Used Port
S0069 BLACKCOFFEE (Citation: FireEye APT17) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Periscope March 2018) File and Directory Discovery, Multi-Stage Channels, Process Discovery, Bidirectional Communication, Windows Command Shell, File Deletion, Dead Drop Resolver
S0385 njRAT (Citation: Bladabindi) (Citation: Fidelis njRAT June 2013) (Citation: FireEye APT41 Aug 2019) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Trend Micro njRAT 2018) Screen Capture, System Owner/User Discovery, Standard Encoding, Keylogging, Encrypted/Encoded File, Fast Flux DNS, Peripheral Device Discovery, System Information Discovery, Native API, Replication Through Removable Media, Data from Local System, Application Window Discovery, Disable or Modify System Firewall, Modify Registry, Credentials from Web Browsers, Video Capture, Indicator Removal, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Non-Standard Port, Query Registry, Compile After Delivery, Uncommonly Used Port, Windows Command Shell, Clear Persistence, File Deletion, Web Protocols, Remote System Discovery, Ingress Tool Transfer, Remote Desktop Protocol, Custom Command and Control Protocol
S0596 ShadowPad (Citation: FireEye APT41 Aug 2019) (Citation: Kaspersky ShadowPad Aug 2017) (Citation: POISONPLUG.SHADOW) (Citation: Recorded Future RedEcho Feb 2021) (Citation: Securelist ShadowPad Aug 2017) Fileless Storage, System Owner/User Discovery, Domain Generation Algorithms, DNS, System Information Discovery, Deobfuscate/Decode Files or Information, Process Injection, Scheduled Transfer, Modify Registry, System Network Configuration Discovery, Indicator Removal, Process Discovery, File Transfer Protocols, Obfuscated Files or Information, Non-Application Layer Protocol, Non-Standard Encoding, Web Protocols, Ingress Tool Transfer, System Time Discovery, Dynamic-link Library Injection

References

  1. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  4. Carr, N. (2019, October 30). Nick Carr Status Update APT41 Environmental Keying. Retrieved September 12, 2024.
  5. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  6. FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.
  7. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
  8. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  9. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  10. Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.