APT41

OriginChina

Techniques (MITRE ATT&CK)82

SourceMITRE ATT&CK

Also known as:Wicked PandaBrass TyphoonBARIUM

Vexday analysis

APT41 (também conhecido como Wicked Panda, Brass Typhoon e BARIUM) é um grupo de origem chinesa avaliado por pesquisadores como patrocinado pelo Estado, que conduz simultaneamente operações de espionagem e atividades motivadas por fins financeiros, com atuação documentada desde pelo menos 2012. O grupo foi observado visando setores como saúde, telecomunicações, tecnologia, finanças, educação, varejo e indústria de jogos eletrônicos em 14 países. Catalogado no MITRE ATT&CK sob o identificador G0096, o grupo tem 82 técnicas documentadas e 11 CVEs atribuídas, refletindo um arsenal técnico diversificado composto por ampla variedade de ferramentas e malwares. Há sobreposição parcial com os grupos publicamente conhecidos como BARIUM e Winnti Group.

Techniques (MITRE ATT&CK) 82

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Reconnaissance

Vulnerability Scanning Wordlist Scanning Scan Databases

Resource development

Tool

Initial access

Exploit Public-Facing Application Compromise Software Supply Chain Spearphishing Attachment

Execution

Windows Management Instrumentation Scheduled Task PowerShell Windows Command Shell Unix Shell Exploitation for Client Execution Service Execution

Persistence

Boot or Logon Initialization Scripts Additional Local or Domain Groups External Remote Services Local Account Windows Service Registry Run Keys / Startup Folder

Privilege escalation

Accessibility Features

Credential access

LSASS Memory Security Account Manager NTDS Brute Force Credentials from Password Stores Credentials from Web Browsers

Discovery

Query Registry System Network Configuration Discovery Remote System Discovery System Owner/User Discovery Network Service Discovery System Network Connections Discovery Permission Groups Discovery System Information Discovery File and Directory Discovery Local Account Domain Account Network Share Discovery

Lateral movement

Remote Desktop Protocol SMB/Windows Admin Shares Pass the Hash Lateral Tool Transfer

Collection

Data from Local System Keylogging Code Repositories Archive via Utility

Command and control

Fallback Channels Web Protocols File Transfer Protocols DNS Proxy Dead Drop Resolver Multi-Stage Channels Ingress Tool Transfer Domain Generation Algorithms

Exfiltration

Data Transfer Size Limits

Impact

Data Encrypted for Impact Compute Hijacking

defense-impairment

Modify Registry Group Policy Modification Code Signing Network Boundary Bridging Disable or Modify Tools Clear Windows Event Logs

stealth

Rootkit Obfuscated Files or Information Software Packing Masquerade Task or Service Match Legitimate Resource Name or Location Process Injection Clear Command History File Deletion Valid Accounts BITS Jobs Compiled HTML File Rundll32 Environmental Keying Bootkit DLL Dynamic Linker Hijacking Impersonation

Exploited vulnerabilities 11

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2019-19781CRITICALEPSS 100%KEV CVE-2021-26855CRITICALEPSS 100%KEV CVE-2012-0158HIGHEPSS 100%KEV CVE-2017-11882HIGHEPSS 100%KEV CVE-2020-10189CRITICALEPSS 100%KEV CVE-2014-7169CRITICALEPSS 100%KEV CVE-2017-0199HIGHEPSS 100%KEV CVE-2019-3396CRITICALEPSS 100%KEV CVE-2015-1641HIGHEPSS 97%KEV CVE-2016-6662EPSS 68%CVE-2017-8625EPSS 15%

APT41 uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →