SOFTWARE
Arp
at
cmd
Dok
FTP
Net
Orz
Reg
RTM
Tor
yty
SOFTWARE
1-9
A-B
Arp
at
C-D
cmd
Dok
E-F
FTP
G-H
I-J
K-L
M-N
Net
O-P
Orz
Q-R
Reg
RTM
S-T
Tor
U-V
W-X
Y-Z
yty
  1. Home
  2. Software
  3. Cannon

Cannon

Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [1][2]

ID: S0351
Type: MALWARE
Platforms: Windows
Version: 1.0
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1041 Exfiltration Over Command and Control Channel

Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.[1]
Enterprise T1083 File and Directory Discovery

Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.[1]
Enterprise T1057 Process Discovery

Cannon can obtain a list of processes running on the system.[1][2]
Enterprise T1105 Remote File Copy

Cannon can download a payload for execution.[1]
Enterprise T1113 Screen Capture

Cannon can take a screenshot of the desktop.[1]
Enterprise T1071 Standard Application Layer Protocol

Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.[1]
Enterprise T1082 System Information Discovery

Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.[1][2]
Enterprise T1033 System Owner/User Discovery

Cannon can gather the username from the system.[1]
Enterprise T1124 System Time Discovery

Cannon can collect the current time zone information from the victim’s machine.[1]
Enterprise T1065 Uncommonly Used Port

Cannon uses port 587 for C2.[1]
Enterprise T1004 Winlogon Helper DLL

Cannon adds the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence.[1]

Groups That Use This Software

ID Name References
G0007 APT28 [1] [2]

References

  1. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  1. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.