CosmicDuke
CosmicDuke is malware that was used by APT29 from 2010 to 2015. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.[1][2] |
| Enterprise | T1020 | Automated Exfiltration |
CosmicDuke exfiltrates collected files automatically over FTP to remote servers.[2] |
|
| Enterprise | T1115 | Clipboard Data |
CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[2] |
|
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
CosmicDuke uses Windows services typically named "javamtsup" for persistence.[2] |
| Enterprise | T1555 | Credentials from Password Stores |
CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.[1] |
|
| .003 | Credentials from Web Browsers |
CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.[1] |
||
| Enterprise | T1005 | Data from Local System |
CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.[2] |
|
| Enterprise | T1039 | Data from Network Shared Drive |
CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.[2] |
|
| Enterprise | T1025 | Data from Removable Media |
CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.[2] |
|
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[2] |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.[2] |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.[2] |
| Enterprise | T1068 | Exploitation for Privilege Escalation |
CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[2] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
CosmicDuke uses a keylogger.[1] |
| Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
CosmicDuke collects Windows account hashes.[1] |
| .004 | OS Credential Dumping: LSA Secrets |
CosmicDuke collects LSA secrets.[1] |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.[2] |
| Enterprise | T1113 | Screen Capture |
CosmicDuke takes periodic screenshots and exfiltrates them.[2] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 |