{"description": "Enterprise techniques used by APT41 DUST, ATT&CK campaign C0040 (v1.0)", "name": "APT41 DUST (C0040)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.007", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used infrastructure hosted behind Cloudflare or utilized Cloudflare Workers for command and control.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used HTTPS for command and control.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used `rar` to compress data downloaded from internal Oracle databases prior to exfiltration.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used tools such as SQLULDR2 and PINEGROVE to gather local system and database information.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1586", "showSubtechniques": true}, {"techniqueID": "T1586.003", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used compromised Google Workspace accounts for command and control.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used Windows Services with names such as `Windows Defend` for persistence of [DUSTPAN](https://attack.mitre.org/software/S1158).(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) collected data from victim Oracle databases using SQLULDR2.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) involved exporting data from Oracle databases to local CSV files prior to exfiltration.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used HTTPS for command and control.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) exfiltrated collected information to OneDrive.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) involved the use of DLL search order hijacking to execute [DUSTTRAP](https://attack.mitre.org/software/S1159).(Citation: Google Cloud APT41 2024) [APT41 DUST](https://attack.mitre.org/campaigns/C0040) used also DLL side-loading to execute [DUSTTRAP](https://attack.mitre.org/software/S1159) via an AhnLab uninstaller.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) deleted various artifacts from victim systems following use.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) involved execution of `certutil.exe` via web shell to download the [DUSTPAN](https://attack.mitre.org/software/S1158) dropper.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) disguised [DUSTPAN](https://attack.mitre.org/software/S1158) as a legitimate Windows binary such as `w3wp.exe` or `conn.exe`.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used encrypted payloads decrypted and executed in memory.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.003", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used stolen code signing certificates to sign [DUSTTRAP](https://attack.mitre.org/software/S1159) malware and components.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1596", "showSubtechniques": true}, {"techniqueID": "T1596.005", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used internet scan data for target development.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1593", "showSubtechniques": true}, {"techniqueID": "T1593.002", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) involved use of search engines to research victim servers.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1594", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) involved access of external victim websites for target development.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) involved use of web shells such as ANTSWORD and BLUEBEAM for persistence.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used stolen code signing certificates for [DUSTTRAP](https://attack.mitre.org/software/S1159) malware and subsequent payloads.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used Windows services to execute [DUSTPAN](https://attack.mitre.org/software/S1158).(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[APT41 DUST](https://attack.mitre.org/campaigns/C0040) used compromised Google Workspace accounts for command and control.(Citation: Google Cloud APT41 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT41 DUST", "color": "#66b1ff"}]}