DEADEYE

DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).^[1]

ID: S1052

ⓘ

Associated Software: DEADEYE.EMBED, DEADEYE.APPEND

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 20 December 2022

Last Modified: 11 April 2024

Version Permalink

Live Version

Associated Software Descriptions

Name	Description
DEADEYE.EMBED	^[1]
DEADEYE.APPEND	^[1]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	DEADEYE can run `cmd /c copy /y /b C:\Users\public\syslog_6-*.dat C:\Users\public\syslog.dll` to combine separated sections of code into a single DLL prior to execution.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	DEADEYE has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution.^[1]
Enterprise	T1480		Execution Guardrails	DEADEYE can ensure it executes only on intended systems by identifying the victim's volume serial number, hostname, and/or DNS domain.^[1]
Enterprise	T1564	.004	Hide Artifacts: NTFS File Attributes	The DEADEYE.EMBED variant of DEADEYE can embed its payload in an alternate data stream of a local file.^[1]
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	DEADEYE has used `schtasks /change` to modify scheduled tasks including `\Microsoft\Windows\PLA\Server Manager Performance Monitor`, `\Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults`, and `\Microsoft\Windows\WDI\USOShared`.^[1]
Enterprise	T1106		Native API	DEADEYE can execute the `GetComputerNameA` and `GetComputerNameExA` WinAPI functions.^[1]
Enterprise	T1027	.009	Obfuscated Files or Information: Embedded Payloads	The DEADEYE.EMBED variant of DEADEYE has the ability to embed payloads inside of a compiled binary.^[1]
		.013	Obfuscated Files or Information: Encrypted/Encoded File	DEADEYE has encrypted its payload.^[1]
Enterprise	T1053		Scheduled Task/Job	DEADEYE has used the scheduled tasks `\Microsoft\Windows\PLA\Server Manager Performance Monitor`, `\Microsoft\Windows\Ras\ManagerMobility`, `\Microsoft\Windows\WDI\SrvSetupResults`, and `\Microsoft\Windows\WDI\USOShared` to establish persistence.^[1]
Enterprise	T1218	.007	System Binary Proxy Execution: Msiexec	DEADEYE can use `msiexec.exe` for execution of malicious DLL.^[1]
		.011	System Binary Proxy Execution: Rundll32	DEADEYE can use `rundll32.exe` for execution of living off the land binaries (lolbin) such as `SHELL32.DLL`.^[1]
Enterprise	T1082		System Information Discovery	DEADEYE can enumerate a victim computer's volume serial number and host name.^[1]
Enterprise	T1016		System Network Configuration Discovery	DEADEYE can discover the DNS domain name of a targeted system.^[1]

Groups That Use This Software

ID	Name	References
G0096	APT41	^[1]

Campaigns

ID	Name	Description
C0017	C0017	^[1]

References

Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.