Cyber Threat Report: 'APT41 Has Arisen From the DUST'
This report from Mandiant outlines APT41 activity observed since 2023 including successful compromises of logistic, media, technology and automotive companies across Europe and Asia. The report discusses the use of ANTSWORD and BLUEBEAM webshells as well as custom and commodity tooling. DUSTPAN is an in-memory dropper used to load Cobalt Strike BEACON. DUSTTRAP is multi-stage plugin framework with support for at least 15 different plugin modules from shell operations to network probing and keylogging. SQLULDR2 is a command line utility which was used to dump the contents of an Oracle database to a local file. Finally, PINEGROVE is another command line utility used to exfiltrate data to OneDrive. The report includes analysis of the components used as well as host and network indicators of compromise and YARA rules for detection.
Cyber Threat Graph Context
Explore how this report relates to the wider threat graph
Mitigations to defend against the techniques in this report
Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Pre-compromise
This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.Restrict Library Loading
Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Application Developer Guidance
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.Update Software
Perform regular software updates to mitigate exploitation risk.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Identified MITRE ATT&CK Techniques
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1560.001 | Archive via Utility | Collection |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1594 | Search Victim-Owned Websites | Reconnaissance |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1569.002 | Service Execution | Execution |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1505.003 | Web Shell | Persistence |
| T1071.001 | Web Protocols | Command and Control |
| T1070.004 | File Deletion | Defense Evasion |