C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | Access Token Manipulation |
During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local |
|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
During C0017, APT41 ran |
Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
During C0017, APT41 hex-encoded PII data prior to exfiltration.[1] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
During C0017, APT41 used |
.007 | Command and Scripting Interpreter: JavaScript |
During C0017, APT41 deployed JScript web shells on compromised systems.[1] |
||
Enterprise | T1005 | Data from Local System |
During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.[1] |
|
Enterprise | T1001 | .003 | Data Obfuscation: Protocol Impersonation |
During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.[1] |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
During C0017, APT41 copied the local |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.[1] |
|
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
During C0017, APT41 exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain.[1] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.[1] |
|
Enterprise | T1567 | Exfiltration Over Web Service |
During C0017, APT41 used Cloudflare services for data exfiltration.[1] |
|
Enterprise | T1190 | Exploit Public-Facing Application |
During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.[1] |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
During C0017, APT41 abused named pipe impersonation for privilege escalation.[1] |
|
Enterprise | T1574 | Hijack Execution Flow |
During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries.[1] |
|
Enterprise | T1105 | Ingress Tool Transfer |
During C0017, APT41 downloaded malicious payloads onto compromised systems.[1] |
|
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
During C0017, APT41 used |
.005 | Masquerading: Match Legitimate Name or Location |
During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.[1] |
||
Enterprise | T1027 | Obfuscated Files or Information |
During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.[1] |
|
.002 | Software Packing |
During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.[1] |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
For C0017, APT41 obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato.[1] |
Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
During C0017, APT41 copied the |
Enterprise | T1090 | Proxy |
During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic.[1] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects.[1] |
Enterprise | T1082 | System Information Discovery |
During C0017, APT41 issued |
|
Enterprise | T1016 | System Network Configuration Discovery |
During C0017, APT41 used |
|
Enterprise | T1033 | System Owner/User Discovery |
During C0017, APT41 used |
|
Enterprise | T1102 | Web Service |
During C0017, APT41 used the Cloudflare services for C2 communications.[1] |
|
.001 | Dead Drop Resolver |
During C0017, APT41 used dead drop resolvers on two separate tech community forums for their KEYPLUG Windows-version backdoor; notably APT41 updated the community forum posts frequently with new dead drop resolvers during the campaign.[1] |
ID | Name | Description |
---|---|---|
S0154 | Cobalt Strike |
During C0017, APT41 used the DUSTPAN in-memory dropper to drop a Cobalt Strike BEACON backdoor onto a compromised network.[1] |
S1052 | DEADEYE | |
S0105 | dsquery |
During C0017, APT41 used multiple dsquery commands to enumerate various Active Directory objects within a compromised environment.[1] |
S1051 | KEYPLUG | |
S0002 | Mimikatz |
During C0017, APT41 used Mimikatz to execute the |
S0097 | Ping |
During C0017, APT41 issued Ping commands to trigger DNS resolutions for data exfiltration, where the output of a reconnaissance command was prepended to subdomains within APT41's Cloudflare C2 infrastructure.[1] |