Open Hunting - Threat Library

Openhunting Threat Library

Cannon

(Type: Backdoor)

(Palo Alto) We were able to collect a second delivery document that shared the Joohn author from the crash list(Lion Air Boeing 737).docx document, as well as the 188.241.58[.]170 C2 IP to host its remote template. Structurally this sample was very similar to the initially analyzed document, but the payload turned out to be a completely new tool which we have named Cannon. The tool is written in C# whose malicious code exists in a namespace called cannon, which is the basis of the Trojan’s name. The Trojan functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587. The specific functions of Cannon can be seen in Table 1. This tool also has a heavy reliance on EventHandlers with timers to run its methods in a specific order and potentially increase its evasion capability.

[News Analysis] Trends:

Total Trend: 3

Trend Per Year

2018

2022

Trend Per Month

Nov 2018

Jul 2022

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

0/36

persistence

1/113

privilege escalation

1/96

defense evasion

0/184

credential access

0/63

discovery

5/44

lateral movement

0/22

collection

1/37

command and control

2/39

exfiltration

1/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
				T1547.004 Boot Or Logon Autostart Execution : Winlogon Helper Dll	T1547.004 Boot Or Logon Autostart Execution : Winlogon Helper Dll			T1083 File And Directory Discovery T1057 Process Discovery T1082 System Information Discovery T1033 System Owner/user Discovery T1124 System Time Discovery		T1113 Screen Capture	T1071.003 Application Layer Protocol : Mail Protocols T1105 Ingress Tool Transfer	T1041 Exfiltration Over C2 Channel

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Fighting Ursa

2022-07-18 by Unit 42 from Palo Alto Networks Unit 42

Let's Learn: In-Depth on Sofacy Cannon Loader/Backdoor Review

2018-11-27 by Vitali Kremez from Vitali Kremez Blog

Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan

2018-11-20 by Robert Falcone from Palo Alto Networks Unit 42

Basic Information (Credit @etda.or.th)

Tool: Cannon

Names: Cannon

Description: (Palo Alto) We were able to collect a second delivery document that shared the Joohn author from the crash list(Lion Air Boeing 737).docx document, as well as the 188.241.58[.]170 C2 IP to host its remote template. Structurally this sample was very similar to the initially analyzed document, but the payload turned out to be a completely new tool which we have named Cannon. The tool is written in C# whose malicious code exists in a namespace called cannon, which is the basis of the Trojan’s name. The Trojan functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587. The specific functions of Cannon can be seen in Table 1. This tool also has a heavy reliance on EventHandlers with timers to run its methods in a specific order and potentially increase its evasion capability.

Category: Malware

Type: Backdoor

Information: https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/

Mitre-attack: https://attack.mitre.org/software/S0351/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon

Last-card-change: 2020-04-23

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
				T1547.004 BOOT OR LOGON AUTOSTART EXECUTION : WINLOGON HELPER DLL cannon adds the registry key hkcu\software\microsoft\windows nt\currentversion\winlogon to establish persistence.	T1547.004 BOOT OR LOGON AUTOSTART EXECUTION : WINLOGON HELPER DLL cannon adds the registry key hkcu\software\microsoft\windows nt\currentversion\winlogon to establish persistence.			T1083 FILE AND DIRECTORY DISCOVERY cannon can obtain victim drive information as well as a list of folders in c:\program files. T1057 PROCESS DISCOVERY cannon can obtain a list of processes running on the system. T1082 SYSTEM INFORMATION DISCOVERY cannon can gather system information from the victim’s machine such as the os version, machine name, and drive information. T1033 SYSTEM OWNER/USER DISCOVERY cannon can gather the username from the system. T1124 SYSTEM TIME DISCOVERY cannon can collect the current time zone information from the victim’s machine.		T1113 SCREEN CAPTURE cannon can take a screenshot of the desktop.	T1071.003 APPLICATION LAYER PROTOCOL : MAIL PROTOCOLS cannon uses smtp/s and pop3/s for c2 communications by sending and receiving emails. T1105 INGRESS TOOL TRANSFER cannon can download a payload for execution.	T1041 EXFILTRATION OVER C2 CHANNEL cannon exfiltrates collected data over email via smtp/s and pop3/s c2 channels.