DEADEYE

Deadeye is a sophisticated malware used in cyber-espionage operations, primarily deployed by the threat actor group known as APT41. This malware has been employed in multiple U.S. state government intrusions, where it was packaged using VMProtect and split into multiple sections on disk to evade analysis. The execution guardrail capabilities of Deadeye were updated during these campaigns, demonstrating the adaptability of the malware. APT41 also incorporated additional anti-analysis techniques, such as changing the standard VMProtect section names (.vmp) to UPX section names (.upx), further complicating efforts to understand and counteract the malware. APT41 utilizes advanced tools in their toolkit, including the Deadeye launcher and LOWKEY backdoor, both equipped with added capabilities and anti-analysis measures. To maintain persistence of Deadeye droppers in compromised systems, APT41 leveraged Windows scheduled tasks, modifying them via the "schtasks /change" command to run under the context of SYSTEM. Additionally, the group used malicious imports to the Import Address Table (IAT) of legitimate Windows PE binaries, another technique for launching the malware. The group has exhibited a pattern of using common file naming conventions when deploying Deadeye on victim hosts, as depicted in Figure 8. In older campaigns, Deadeye samples used the victim computer’s volume serial number, but this has since been updated to use the hostname and/or DNS domain during the U.S. state government campaign. The group also uses commands to find the volume serial number of the system, which historically serves as the decryption key for Deadeye payloads. These evolving tactics underscore the sophistication of APT41's operations and the ongoing threat posed by the Deadeye malware.