1. Home
  2. Software
  3. Mosquito

Mosquito

Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [1]

ID: S0256
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 17 October 2018
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Mosquito's installer uses WMI to search for antivirus display names.[1]
Enterprise T1546 .015 事件触发执行: Component Object Model Hijacking

Mosquito uses COM hijacking as a method of persistence.[1]
Enterprise T1112 修改注册表

Mosquito can modify Registry keys under HKCU\Software\Microsoft[dllname] to store configuration values. Mosquito also modifies Registry keys under HKCR\CLSID...\InprocServer32 with a path to the launcher.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Mosquito establishes persistence under the Registry key HKCU\Software\Run auto_update.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Mosquito can launch PowerShell Scripts.[1]
.003 命令与脚本解释器: Windows Command Shell

Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.[1]
Enterprise T1106 本机API

Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.[1]
Enterprise T1027 .011 混淆文件或信息: Fileless Storage

Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname].[1]
.013 混淆文件或信息: Encrypted/Encoded File

Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.[1]
Enterprise T1070 .004 移除指标: File Deletion

Mosquito deletes files using DeleteFileW API call.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.[1]
Enterprise T1033 系统所有者/用户发现

Mosquito runs whoami on the victim’s machine.[1]
Enterprise T1016 系统网络配置发现

Mosquito uses the ipconfig command.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.[1]
Enterprise T1105 输入工具传输

Mosquito can upload and download files to the victim.[1]
Enterprise T1057 进程发现

Mosquito runs tasklist to obtain running processes.[1]

Groups That Use This Software

ID Name References
G0010 Turla

[1][2][3]

References

  1. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  2. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  1. Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.