APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
Groups
| ID | Name | Description |
|---|---|---|
| G0096 | APT41 |
APT41 DUST was conducted by APT41 from 2023 to July 2024.[1] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .007 | Acquire Infrastructure: Serverless |
APT41 DUST used infrastructure hosted behind Cloudflare or utilized Cloudflare Workers for command and control.[1] |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT41 DUST used HTTPS for command and control.[1] |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT41 DUST used |
| Enterprise | T1119 | Automated Collection |
APT41 DUST used tools such as SQLULDR2 and PINEGROVE to gather local system and database information.[1] |
|
| Enterprise | T1586 | .003 | Compromise Accounts: Cloud Accounts |
APT41 DUST used compromised Google Workspace accounts for command and control.[1] |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
APT41 DUST used Windows Services with names such as |
| Enterprise | T1213 | Data from Information Repositories |
APT41 DUST collected data from victim Oracle databases using SQLULDR2.[1] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
APT41 DUST involved exporting data from Oracle databases to local CSV files prior to exfiltration.[1] |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
APT41 DUST used HTTPS for command and control.[1] |
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
APT41 DUST exfiltrated collected information to OneDrive.[1] |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
APT41 DUST involved the use of DLL search order hijacking to execute DUSTTRAP.[1] |
| .002 | Hijack Execution Flow: DLL Side-Loading |
APT41 DUST used DLL side-loading to execute DUSTTRAP via an AhnLab uninstaller.[1] |
||
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
APT41 DUST deleted various artifacts from victim systems following use.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
APT41 DUST involved execution of |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
APT41 DUST disguised DUSTPAN as a legitimate Windows binary such as |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
APT41 DUST used encrypted payloads decrypted and executed in memory.[1] |
| Enterprise | T1588 | .003 | Obtain Capabilities: Code Signing Certificates |
APT41 DUST used stolen code signing certificates to sign DUSTTRAP malware and components.[1] |
| Enterprise | T1596 | .005 | Search Open Technical Databases: Scan Databases |
APT41 DUST used internet scan data for target development.[1] |
| Enterprise | T1593 | .002 | Search Open Websites/Domains: Search Engines |
APT41 DUST involved use of search engines to research victim servers.[1] |
| Enterprise | T1594 | Search Victim-Owned Websites |
APT41 DUST involved access of external victim websites for target development.[1] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
APT41 DUST involved use of web shells such as ANTSWORD and BLUEBEAM for persistence.[1] |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
APT41 DUST used stolen code signing certificates for DUSTTRAP malware and subsequent payloads.[1] |
| Enterprise | T1569 | .002 | System Services: Service Execution |
APT41 DUST used Windows services to execute DUSTPAN.[1] |
| Enterprise | T1102 | Web Service |
APT41 DUST used compromised Google Workspace accounts for command and control.[1] |
|
Software
| ID | Name | Description |
|---|---|---|
| S0160 | certutil |
APT41 DUST used certutil to load and execute DUSTPAN.[1] |
| S0154 | Cobalt Strike |
Cobalt Strike was used during APT41 DUST.[1] |
| S1158 | DUSTPAN |
DUSTPAN was used during APT41 DUST.[1] |
| S1159 | DUSTTRAP |
DUSTTRAP was used during APT41 DUST.[1] |