ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Cannon

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Cannon

NamesCannon
CategoryMalware
TypeBackdoor
Description(Palo Alto) We were able to collect a second delivery document that shared the Joohn author from the crash list(Lion Air Boeing 737).docx document, as well as the 188.241.58[.]170 C2 IP to host its remote template. Structurally this sample was very similar to the initially analyzed document, but the payload turned out to be a completely new tool which we have named Cannon.

The tool is written in C# whose malicious code exists in a namespace called cannon, which is the basis of the Trojan’s name. The Trojan functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587. The specific functions of Cannon can be seen in Table 1. This tool also has a heavy reliance on EventHandlers with timers to run its methods in a specific order and potentially increase its evasion capability.
Information<https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/>
MITRE ATT&CK<https://attack.mitre.org/software/S0351/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon>

Last change to this tool card: 22 April 2020

Download this tool card in JSON format

Previous: CamuBot
Next: Capriccio RAT

All groups using tool Cannon

ChangedNameCountryObserved

APT groups

 Sofacy, APT 28, Fancy Bear, SednitRussia2004-Jun 2021 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key