ATT&CK v12 is now live! Check out the updates here

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Heyoka Backdoor

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

Heyoka Backdoor

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Cannon

Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. ^[1]^[2]

ID: S0351

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 30 January 2019

Last Modified: 30 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.003	Application Layer Protocol: Mail Protocols	Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.^[1]
Enterprise	T1547	.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	Cannon adds the Registry key `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` to establish persistence.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.^[1]
Enterprise	T1083		File and Directory Discovery	Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.^[1]
Enterprise	T1105		Ingress Tool Transfer	Cannon can download a payload for execution.^[1]
Enterprise	T1057		Process Discovery	Cannon can obtain a list of processes running on the system.^[1]^[2]
Enterprise	T1113		Screen Capture	Cannon can take a screenshot of the desktop.^[1]
Enterprise	T1082		System Information Discovery	Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.^[1]^[2]
Enterprise	T1033		System Owner/User Discovery	Cannon can gather the username from the system.^[1]
Enterprise	T1124		System Time Discovery	Cannon can collect the current time zone information from the victim’s machine.^[1]

Groups That Use This Software

ID	Name	References
G0007	APT28	^[1]^[2]

References

Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.

Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.