Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

DEADEYE

DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).(Citation: Mandiant APT41)

ID: S1052

Associated Software: DEADEYE.EMBED DEADEYE.APPEND

Type: MALWARE

Platforms: Windows

Created: 20 Dec 2022

Last Modified: 11 Apr 2024

Name	Description
Associated Software Descriptions
DEADEYE.EMBED	(Citation: Mandiant APT41)
DEADEYE.APPEND	(Citation: Mandiant APT41)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	DEADEYE can run `cmd /c copy /y /b C:\Users\public\syslog_6-*.dat C:\Users\public\syslog.dll` to combine separated sections of code into a single DLL prior to execution.(Citation: Mandiant APT41)
Enterprise	T1564	.004	Hide Artifacts: NTFS File Attributes	The DEADEYE.EMBED variant of DEADEYE can embed its payload in an alternate data stream of a local file.(Citation: Mandiant APT41)
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	DEADEYE has used `schtasks /change` to modify scheduled tasks including `\Microsoft\Windows\PLA\Server Manager Performance Monitor`, `\Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults`, and `\Microsoft\Windows\WDI\USOShared`.(Citation: Mandiant APT41)
Enterprise	T1027	.009	Obfuscated Files or Information: Embedded Payloads	The DEADEYE.EMBED variant of DEADEYE has the ability to embed payloads inside of a compiled binary.(Citation: Mandiant APT41)
		.013	Obfuscated Files or Information: Encrypted/Encoded File	DEADEYE has encrypted its payload.(Citation: Mandiant APT41)
Enterprise	T1218	.007	System Binary Proxy Execution: Msiexec	DEADEYE can use `msiexec.exe` for execution of malicious DLL.(Citation: Mandiant APT41)
		.011	System Binary Proxy Execution: Rundll32	DEADEYE can use `rundll32.exe` for execution of living off the land binaries (lolbin) such as `SHELL32.DLL`.(Citation: Mandiant APT41)

References

Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

DEADEYE

Associated Software Descriptions

Techniques Used

References