C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).
|Enterprise||T1134||Access Token Manipulation|
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1560||.003||Archive Collected Data: Archive via Custom Method|
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell|
|Enterprise||T1005||Data from Local System|
|Enterprise||T1001||.003||Data Obfuscation: Protocol Impersonation|
|Enterprise||T1074||.001||Data Staged: Local Data Staging|
|Enterprise||T1140||Deobfuscate/Decode Files or Information|
|Enterprise||T1048||.003||Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol|
|Enterprise||T1041||Exfiltration Over C2 Channel|
|Enterprise||T1567||Exfiltration Over Web Service|
|Enterprise||T1190||Exploit Public-Facing Application||
During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.
|Enterprise||T1068||Exploitation for Privilege Escalation|
|Enterprise||T1574||Hijack Execution Flow|
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service|
|.005||Masquerading: Match Legitimate Name or Location|
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1588||.002||Obtain Capabilities: Tool|
|Enterprise||T1003||.002||OS Credential Dumping: Security Account Manager|
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task||
During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks:
|Enterprise||T1505||.003||Server Software Component: Web Shell|
|Enterprise||T1082||System Information Discovery|
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1033||System Owner/User Discovery|
|.001||Dead Drop Resolver||
During C0017, APT41 used dead drop resolvers on two separate tech community forums for their KEYPLUG Windows-version backdoor; notably APT41 updated the community forum posts frequently with new dead drop resolvers during the campaign.
During C0017, APT41 issued Ping commands to trigger DNS resolutions for data exfiltration, where the output of a reconnaissance command was prepended to subdomains within APT41's Cloudflare C2 infrastructure.