1. Home
  2. Software
  3. Prikormka

Prikormka

Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. [1]

ID: S0113
Type: MALWARE
Platforms: Windows
Version: 1.4
Created: 31 May 2017
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1025 从可移动介质获取数据

Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB.[1]
Enterprise T1555 从密码存储中获取凭证

A module in Prikormka collects passwords stored in applications installed on the victim.[1]
.003 Credentials from Web Browsers

A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Prikormka encrypts some C2 traffic with the Blowfish cipher.[1]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.[1]
Enterprise T1120 外围设备发现

A module in Prikormka collects information on available printers and disk drives.[1]
Enterprise T1113 屏幕捕获

Prikormka contains a module that captures screenshots of the victim's desktop.[1]
Enterprise T1560 归档收集数据

After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

Prikormka encodes C2 traffic with Base64.[1]
Enterprise T1083 文件和目录发现

A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.[1]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.[1]
Enterprise T1070 .004 移除指标: File Deletion

After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Prikormka uses rundll32.exe to load its DLL.[1]
Enterprise T1082 系统信息发现

A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.[1]
Enterprise T1033 系统所有者/用户发现

A module in Prikormka collects information from the victim about the current user name.[1]
Enterprise T1016 系统网络配置发现

A module in Prikormka collects information from the victim about its IP addresses and MAC addresses.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

A module in Prikormka collects information from the victim about installed anti-virus software.[1]
Enterprise T1056 .001 输入捕获: Keylogging

Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.[1]

References

  1. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.