CosmicDuke
CosmicDuke is malware that was used by APT29 from 2010 to 2015. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.[2] |
|
| Enterprise | T1555 | 从密码存储中获取凭证 |
CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.[1] |
|
| .003 | Credentials from Web Browsers |
CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.[1] |
||
| Enterprise | T1005 | 从本地系统获取数据 |
CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.[2] |
|
| Enterprise | T1039 | 从网络共享驱动器获取数据 |
CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.[2] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
CosmicDuke uses Windows services typically named "javamtsup" for persistence.[2] |
| Enterprise | T1115 | 剪贴板数据 |
CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[2] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.[2] |
| Enterprise | T1113 | 屏幕捕获 |
CosmicDuke takes periodic screenshots and exfiltrates them.[2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.[1][2] |
| Enterprise | T1003 | .002 | 操作系统凭证转储: Security Account Manager |
CosmicDuke collects Windows account hashes.[1] |
| .004 | 操作系统凭证转储: LSA Secrets |
CosmicDuke collects LSA secrets.[1] |
||
| Enterprise | T1083 | 文件和目录发现 |
CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[2] |
|
| Enterprise | T1048 | .003 | 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol |
CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.[2] |
| Enterprise | T1068 | 权限提升漏洞利用 |
CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.[1] |
|
| Enterprise | T1114 | .001 | 电子邮件收集: Local Email Collection |
CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[2] |
| Enterprise | T1020 | 自动化渗出 |
CosmicDuke exfiltrates collected files automatically over FTP to remote servers.[2] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
CosmicDuke uses a keylogger.[1] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.[2] |