APT41 | APT Profile

Description

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

Techniques Used (TTPs)

T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1082 — System Information Discovery (discovery)
T1195.002 — Compromise Software Supply Chain (initial-access)
T1069 — Permission Groups Discovery (discovery)
T1562.006 — Indicator Blocking (defense-evasion)
T1595.003 — Wordlist Scanning (reconnaissance)
T1059.001 — PowerShell (execution)
T1014 — Rootkit (defense-evasion)
T1087.002 — Domain Account (discovery)
T1555.003 — Credentials from Web Browsers (credential-access)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1071.002 — File Transfer Protocols (command-and-control)
T1018 — Remote System Discovery (discovery)
T1027.002 — Software Packing (defense-evasion)
T1553.002 — Code Signing (defense-evasion)
T1596.005 — Scan Databases (reconnaissance)
T1588.002 — Tool (resource-development)
T1098.007 — Additional Local or Domain Groups (persistence, privilege-escalation)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1037 — Boot or Logon Initialization Scripts (persistence, privilege-escalation)
T1136.001 — Local Account (persistence)
T1542.003 — Bootkit (persistence, defense-evasion)
T1087.001 — Local Account (discovery)
T1071.001 — Web Protocols (command-and-control)
T1070.001 — Clear Windows Event Logs (defense-evasion)
T1135 — Network Share Discovery (discovery)
T1599 — Network Boundary Bridging (defense-evasion)
T1480.001 — Environmental Keying (defense-evasion)
T1484.001 — Group Policy Modification (defense-evasion, privilege-escalation)
T1595.002 — Vulnerability Scanning (reconnaissance)
T1005 — Data from Local System (collection)
T1133 — External Remote Services (persistence, initial-access)
T1070.004 — File Deletion (defense-evasion)
T1566.001 — Spearphishing Attachment (initial-access)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1546.008 — Accessibility Features (privilege-escalation, persistence)
T1110 — Brute Force (credential-access)
T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1574.006 — Dynamic Linker Hijacking (persistence, privilege-escalation, defense-evasion)
T1059.003 — Windows Command Shell (execution)
T1003.002 — Security Account Manager (credential-access)
T1568.002 — Domain Generation Algorithms (command-and-control)
T1569.002 — Service Execution (execution)
T1071.004 — DNS (command-and-control)
T1046 — Network Service Discovery (discovery)
T1560.001 — Archive via Utility (collection)
T1218.011 — Rundll32 (defense-evasion)
T1102.001 — Dead Drop Resolver (command-and-control)
T1008 — Fallback Channels (command-and-control)
T1555 — Credentials from Password Stores (credential-access)
T1496.001 — Compute Hijacking (impact)
T1003.003 — NTDS (credential-access)
T1049 — System Network Connections Discovery (discovery)
T1059.004 — Unix Shell (execution)
T1486 — Data Encrypted for Impact (impact)
T1016 — System Network Configuration Discovery (discovery)
T1033 — System Owner/User Discovery (discovery)
T1105 — Ingress Tool Transfer (command-and-control)
T1203 — Exploitation for Client Execution (execution)
T1218.001 — Compiled HTML File (defense-evasion)
T1112 — Modify Registry (defense-evasion, persistence)
T1090 — Proxy (command-and-control)
T1003.001 — LSASS Memory (credential-access)
T1213.003 — Code Repositories (collection)
T1197 — BITS Jobs (defense-evasion, persistence)
T1012 — Query Registry (discovery)
T1083 — File and Directory Discovery (discovery)
T1656 — Impersonation (defense-evasion)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1190 — Exploit Public-Facing Application (initial-access)
T1570 — Lateral Tool Transfer (lateral-movement)
T1027 — Obfuscated Files or Information (defense-evasion)
T1104 — Multi-Stage Channels (command-and-control)
T1030 — Data Transfer Size Limits (exfiltration)
T1047 — Windows Management Instrumentation (execution)
T1056.001 — Keylogging (collection, credential-access)
T1070.003 — Clear Command History (defense-evasion)
T1036.004 — Masquerade Task or Service (defense-evasion)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)

Total TTPs: 82

Malware & Tools

Malware: ASPXSpy, BLACKCOFFEE, China Chopper, Cobalt Strike, DUSTPAN, DUSTTRAP, Derusbi, KEYPLUG, LightSpy, MESSAGETAP, PlugX, ROCKBOOT, ShadowPad, Winnti for Linux, ZxShell, gh0st RAT, njRAT

Tools: BITSAdmin, Empire, Impacket, Mimikatz, Net, Ping, PowerSploit, certutil, dsquery, ftp, ipconfig, netstat, pwdump, sqlmap

← Return to Home ← Back to APT Search