Cannon
Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [1][2]
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1041 | Exfiltration Over Command and Control Channel |
Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.[1] |
Enterprise | T1083 | File and Directory Discovery |
Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.[1] |
Enterprise | T1057 | Process Discovery |
Cannon can obtain a list of processes running on the system.[1][2] |
Enterprise | T1105 | Remote File Copy | |
Enterprise | T1113 | Screen Capture | |
Enterprise | T1071 | Standard Application Layer Protocol |
Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.[1] |
Enterprise | T1082 | System Information Discovery |
Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.[1][2] |
Enterprise | T1033 | System Owner/User Discovery | |
Enterprise | T1124 | System Time Discovery |
Cannon can collect the current time zone information from the victim’s machine.[1] |
Enterprise | T1065 | Uncommonly Used Port | |
Enterprise | T1004 | Winlogon Helper DLL |
Cannon adds the Registry key |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0007 | APT28 | [1] [2] |