Cyber Threat Report: 'APT41 Has Arisen From the DUST'

This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and automotive companies across Europe and Asia. The report discusses the use of ANTSWORD and BLUEBEAM webshells as well as custom and commodity tooling. DUSTPAN is an in-memory dropper used to load Cobalt Strike BEACON. DUSTTRAP is multi-stage plugin framework with support for at least 15 different plugin modules from shell operations to network probing and keylogging. SQLULDR2 is a command line utility which was used to dump the contents of an Oracle database to a local file. Finally, PINEGROVE is another command line utility used to exfiltrate data to OneDrive. The report includes analysis of the components used as well as host and network indicators of compromise and YARA rules for detection.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Pre-compromise

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Restrict Library Loading

Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Application Developer Guidance

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

Update Software

Perform regular software updates to mitigate exploitation risk.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.