JUST RELEASED: ATT&CK for Industrial Control Systems

SOFTWARE

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

X-Agent for Android

SOFTWARE

1-9

A-B

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

E-F

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

S-T

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

X-Agent for Android

Y-Z

Cannon

Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. ^[1]^[2]

ID: S0351

Type: MALWARE

Platforms: Windows

Version: 1.0

Created: 30 January 2019

Last Modified: 22 April 2019

Techniques Used

Domain	ID	Name	Use
Enterprise	T1041	Exfiltration Over Command and Control Channel	Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.^[1]
Enterprise	T1083	File and Directory Discovery	Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.^[1]
Enterprise	T1057	Process Discovery	Cannon can obtain a list of processes running on the system.^[1]^[2]
Enterprise	T1105	Remote File Copy	Cannon can download a payload for execution.^[1]
Enterprise	T1113	Screen Capture	Cannon can take a screenshot of the desktop.^[1]
Enterprise	T1071	Standard Application Layer Protocol	Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.^[1]
Enterprise	T1082	System Information Discovery	Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.^[1]^[2]
Enterprise	T1033	System Owner/User Discovery	Cannon can gather the username from the system.^[1]
Enterprise	T1124	System Time Discovery	Cannon can collect the current time zone information from the victim’s machine.^[1]
Enterprise	T1065	Uncommonly Used Port	Cannon uses port 587 for C2.^[1]
Enterprise	T1004	Winlogon Helper DLL	Cannon adds the Registry key `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` to establish persistence.^[1]

Groups That Use This Software

ID	Name	References
G0007	APT28	^[1] ^[2]

References

Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.

Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.