1. Home
  2. Software
  3. Cannon

Cannon

Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [1][2]

ID: S0351
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 30 January 2019
Last Modified: 25 April 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .003 Application Layer Protocol: Mail Protocols

Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.[1]
Enterprise T1547 .004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Cannon adds the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.[1]
Enterprise T1083 File and Directory Discovery

Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.[1]
Enterprise T1105 Ingress Tool Transfer

Cannon can download a payload for execution.[1]
Enterprise T1057 Process Discovery

Cannon can obtain a list of processes running on the system.[1][2]
Enterprise T1113 Screen Capture

Cannon can take a screenshot of the desktop.[1]
Enterprise T1082 System Information Discovery

Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.[1][2]
Enterprise T1033 System Owner/User Discovery

Cannon can gather the username from the system.[1]
Enterprise T1124 System Time Discovery

Cannon can collect the current time zone information from the victim’s machine.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[1][2]

References

  1. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  1. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.