APT41

APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.[1]

ID: G0096
Version: 1.1
Created: 23 September 2019
Last Modified: 24 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

APT41 used DNS for C2 communications.[1]

.002 Application Layer Protocol: File Transfer Protocols

APT41 used exploit payloads that initiate download via FTP.[2]

.001 Application Layer Protocol: Web Protocols

APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.[2]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT41 created a RAR archive of targeted files for exfiltration.[1]

Enterprise T1197 BITS Jobs

APT41 used BITSAdmin to download and install payloads.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT41 created and modified startup files for persistence.[1] APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost to establish persistence for Cobalt Strike.[2]

Enterprise T1110 .002 Brute Force: Password Cracking

APT41 performed password brute-force attacks on the local admin account.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT41 leveraged PowerShell to deploy malware families in victims’ environments.[1][2]

.003 Command and Scripting Interpreter: Windows Command Shell

APT41 used cmd.exe /c to execute commands on remote machines.[1]APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.[2]

.004 Command and Scripting Interpreter: Unix Shell

APT41 executed file /bin/pwd in activity exploiting CVE-2019-19781 against Citrix devices.[2]

Enterprise T1136 .001 Create Account: Local Account

APT41 created user accounts and adds them to the User and Admin groups.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT41 modified legitimate Windows services to install malware backdoors.[1] APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.[2]

Enterprise T1486 Data Encrypted for Impact

APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[1]

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

APT41 has used DGAs to change their C2 servers monthly.[1]

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

APT41 leveraged sticky keys to establish persistence.[1]

Enterprise T1480 .001 Execution Guardrails: Environmental Keying

APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.[3]

Enterprise T1190 Exploit Public-Facing Application

APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.[2]

Enterprise T1203 Exploitation for Client Execution

APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.[1]

Enterprise T1133 External Remote Services

APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[1]

Enterprise T1008 Fallback Channels

APT41 used the Steam community page as a fallback mechanism for C2.[1]

Enterprise T1083 File and Directory Discovery

APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.[2]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

APT41 used legitimate executables to perform DLL side-loading of their malware.[1]

Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.[1]

.003 Indicator Removal on Host: Clear Command History

APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[1]

.004 Indicator Removal on Host: File Deletion

APT41 deleted files from the system.[1]

Enterprise T1105 Ingress Tool Transfer

APT41 used certutil to download additional files.[2]

Enterprise T1056 .001 Input Capture: Keylogging

APT41 used a keylogger called GEARSHIFT on a target system.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

APT41 attempted to masquerade their files as popular anti-virus software.[1]

Enterprise T1112 Modify Registry

APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.[1]

Enterprise T1104 Multi-Stage Channels

APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.[2]

Enterprise T1046 Network Service Scanning

APT41 used a malware variant called WIDETONE to conduct port scans on the specified subnets.[1]

Enterprise T1135 Network Share Discovery

APT41 used the net share command as part of network reconnaissance.[1]

Enterprise T1027 Obfuscated Files or Information

APT41 used VMProtected binaries in multiple intrusions.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT41 used the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.[1]

Enterprise T1542 .003 Pre-OS Boot: Bootkit

APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.[1]

Enterprise T1055 Process Injection

APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.[1]

Enterprise T1090 Proxy

APT41 used a tool called CLASSFON to covertly proxy network communications.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT41 used RDP for lateral movement.[1]

Enterprise T1496 Resource Hijacking

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[1]

Enterprise T1014 Rootkit

APT41 deployed rootkits on Linux systems.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT41 used a compromised account to create a scheduled task on a system.[1]

Enterprise T1218 .001 Signed Binary Proxy Execution: Compiled HTML File

APT41 used compiled HTML (.chm) files for targeting.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[1]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.[1]

Enterprise T1016 System Network Configuration Discovery

APT41 collected MAC addresses from victim machines.[1]

Enterprise T1049 System Network Connections Discovery

APT41 used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.[1]

Enterprise T1033 System Owner/User Discovery

APT41 used the WMIEXEC utility to execute whoami commands on remote machines.[1]

Enterprise T1569 .002 System Services: Service Execution

APT41 used Net to execute a system service installed to launch a Cobalt Strike BEACON loader.[2]

Enterprise T1078 Valid Accounts

APT41 used compromised credentials to log on to other systems.[1]

Enterprise T1102 .001 Web Service: Dead Drop Resolver

APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.[1]

Enterprise T1047 Windows Management Instrumentation

APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.[1]

Software

ID Name References Techniques
S0073 ASPXSpy

[1]

Server Software Component: Web Shell
S0190 BITSAdmin

[2]

BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0069 BLACKCOFFEE

[1]

Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Multi-Stage Channels, Process Discovery, Web Service: Dead Drop Resolver, Web Service: Bidirectional Communication
S0160 certutil

[2]

Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0020 China Chopper

[1]

Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Network Service Scanning, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0154 Cobalt Strike

[2]

Abuse Elevation Control Mechanism: Bypass User Access Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Exploitation for Privilege Escalation, Indicator Removal on Host: Timestomp, Input Capture: Keylogging, Man in the Browser, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Protocol Tunneling, Proxy: Internal Proxy, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0021 Derusbi

[1]

Audio Capture, Command and Scripting Interpreter: Unix Shell, Commonly Used Port, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, Signed Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0095 FTP

[2]

Commonly Used Port, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
S0032 gh0st RAT

[1]

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Commonly Used Port, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Process Discovery, Screen Capture, Signed Binary Proxy Execution: Rundll32
S0443 MESSAGETAP

[4]

Archive Collected Data: Archive via Custom Method, Automated Collection, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, File and Directory Discovery, Indicator Removal on Host: File Deletion, Network Sniffing, System Network Connections Discovery
S0002 Mimikatz

[1]

Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net

[1]

Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat

[1]

System Network Connections Discovery
S0385 njRAT

[1]

Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Peripheral Device Discovery, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0097 Ping

[1]

Remote System Discovery
S0013 PlugX

[1]

Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0194 PowerSploit

[1]

Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Input Capture: Keylogging, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: LSASS Memory, Path Interception, Process Discovery, Process Injection: Portable Executable Injection, Process Injection: Dynamic-link Library Injection, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0006 pwdump

[1]

OS Credential Dumping: Security Account Manager
S0112 ROCKBOOT

[1]

Pre-OS Boot: Bootkit
S0412 ZxShell

[1]

Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Create or Modify System Process: Windows Service, Endpoint Denial of Service, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Network Service Scanning, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Query Registry, Remote Services: Remote Desktop Protocol, Remote Services: VNC, Screen Capture, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, System Service Discovery, Video Capture

References