Cannon

Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. ^[1]^[2]

ID: S0351

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 30 January 2019

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.004	启动或登录自动启动执行: Winlogon Helper DLL	Cannon adds the Registry key `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` to establish persistence.^[1]
Enterprise	T1113		屏幕捕获	Cannon can take a screenshot of the desktop.^[1]
Enterprise	T1071	.003	应用层协议: Mail Protocols	Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.^[1]
Enterprise	T1083		文件和目录发现	Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.^[1]
Enterprise	T1082		系统信息发现	Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.^[1]^[2]
Enterprise	T1033		系统所有者/用户发现	Cannon can gather the username from the system.^[1]
Enterprise	T1124		系统时间发现	Cannon can collect the current time zone information from the victim’s machine.^[1]
Enterprise	T1105		输入工具传输	Cannon can download a payload for execution.^[1]
Enterprise	T1057		进程发现	Cannon can obtain a list of processes running on the system.^[1]^[2]
Enterprise	T1041		通过C2信道渗出	Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.^[1]

Groups That Use This Software

ID	Name	References
G0007	APT28	^[1]^[2]

References

Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.

Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.