Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [1][2]

ID: S0351
Platforms: Windows
Version: 1.1
Created: 30 January 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .003 Application Layer Protocol: Mail Protocols

Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.[1]

Enterprise T1547 .004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Cannon adds the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.[1]

Enterprise T1083 File and Directory Discovery

Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.[1]

Enterprise T1105 Ingress Tool Transfer

Cannon can download a payload for execution.[1]

Enterprise T1057 Process Discovery

Cannon can obtain a list of processes running on the system.[1][2]

Enterprise T1113 Screen Capture

Cannon can take a screenshot of the desktop.[1]

Enterprise T1082 System Information Discovery

Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.[1][2]

Enterprise T1033 System Owner/User Discovery

Cannon can gather the username from the system.[1]

Enterprise T1124 System Time Discovery

Cannon can collect the current time zone information from the victim’s machine.[1]

Groups That Use This Software

ID Name References
G0007 APT28