APT41 DUST, Campaign C0040 | MITRE ATT&CK® (original) (raw)

Enterprise

T1583

.007

Acquire Infrastructure: Serverless

APT41 DUST used infrastructure hosted behind Cloudflare or utilized Cloudflare Workers for command and control.[1]

Enterprise

T1071

.001

Application Layer Protocol: Web Protocols

APT41 DUST used HTTPS for command and control.[1]

Enterprise

T1560

.001

Archive Collected Data: Archive via Utility

APT41 DUST used rar to compress data downloaded from internal Oracle databases prior to exfiltration.[1]

Enterprise

T1119

Automated Collection

APT41 DUST used tools such as SQLULDR2 and PINEGROVE to gather local system and database information.[1]

Enterprise

T1586

.003

Compromise Accounts: Cloud Accounts

APT41 DUST used compromised Google Workspace accounts for command and control.[1]

Enterprise

T1543

.003

Create or Modify System Process: Windows Service

APT41 DUST used Windows Services with names such as Windows Defend for persistence of DUSTPAN.[1]

Enterprise

T1213

.006

Data from Information Repositories: Databases

APT41 DUST collected data from victim Oracle databases using SQLULDR2.[1]

Enterprise

T1074

.001

Data Staged: Local Data Staging

APT41 DUST involved exporting data from Oracle databases to local CSV files prior to exfiltration.[1]

Enterprise

T1573

.002

Encrypted Channel: Asymmetric Cryptography

APT41 DUST used HTTPS for command and control.[1]

Enterprise

T1567

.002

Exfiltration Over Web Service: Exfiltration to Cloud Storage

APT41 DUST exfiltrated collected information to OneDrive.[1]

Enterprise

T1574

.001

Hijack Execution Flow: DLL

APT41 DUST involved the use of DLL search order hijacking to execute DUSTTRAP.[1] APT41 DUST used also DLL side-loading to execute DUSTTRAP via an AhnLab uninstaller.[1]

Enterprise

T1070

.004

Indicator Removal: File Deletion

APT41 DUST deleted various artifacts from victim systems following use.[1]

Enterprise

T1105

Ingress Tool Transfer

APT41 DUST involved execution of certutil.exe via web shell to download the DUSTPAN dropper.[1]

Enterprise

T1036

.004

Masquerading: Masquerade Task or Service

APT41 DUST disguised DUSTPAN as a legitimate Windows binary such as w3wp.exe or conn.exe.[1]

Enterprise

T1027

.013

Obfuscated Files or Information: Encrypted/Encoded File

APT41 DUST used encrypted payloads decrypted and executed in memory.[1]

Enterprise

T1588

.003

Obtain Capabilities: Code Signing Certificates

APT41 DUST used stolen code signing certificates to sign DUSTTRAP malware and components.[1]

Enterprise

T1596

.005

Search Open Technical Databases: Scan Databases

APT41 DUST used internet scan data for target development.[1]

Enterprise

T1593

.002

Search Open Websites/Domains: Search Engines

APT41 DUST involved use of search engines to research victim servers.[1]

Enterprise

T1594

Search Victim-Owned Websites

APT41 DUST involved access of external victim websites for target development.[1]

Enterprise

T1505

.003

Server Software Component: Web Shell

APT41 DUST involved use of web shells such as ANTSWORD and BLUEBEAM for persistence.[1]

Enterprise

T1553

.002

Subvert Trust Controls: Code Signing

APT41 DUST used stolen code signing certificates for DUSTTRAP malware and subsequent payloads.[1]

Enterprise

T1569

.002

System Services: Service Execution

APT41 DUST used Windows services to execute DUSTPAN.[1]

Enterprise

T1102

Web Service

APT41 DUST used compromised Google Workspace accounts for command and control.[1]