CosmicDuke
CosmicDuke is malware that was used byAPT29 from 2010 to 2015.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.[1][2] |
| Enterprise | T1020 | Automated Exfiltration | CosmicDuke exfiltrates collected files automatically over FTP to remote servers.[2] | |
| Enterprise | T1115 | Clipboard Data | CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[2] | |
| Enterprise | T1543 | .003 | Create or Modify System Process:Windows Service | CosmicDuke uses Windows services typically named "javamtsup" for persistence.[2] |
| Enterprise | T1555 | Credentials from Password Stores | CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.[1] | |
| .003 | Credentials from Web Browsers | CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.[1] | ||
| Enterprise | T1005 | Data from Local System | CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.[2] | |
| Enterprise | T1039 | Data from Network Shared Drive | CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.[2] | |
| Enterprise | T1025 | Data from Removable Media | CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.[2] | |
| Enterprise | T1114 | .001 | Email Collection:Local Email Collection | CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[2] |
| Enterprise | T1573 | .001 | Encrypted Channel:Symmetric Cryptography | CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.[2] |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol:Exfiltration Over Unencrypted Non-C2 Protocol | CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.[2] |
| Enterprise | T1068 | Exploitation for Privilege Escalation | CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.[1] | |
| Enterprise | T1083 | File and Directory Discovery | CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[2] | |
| Enterprise | T1056 | .001 | Input Capture:Keylogging | CosmicDuke uses a keylogger.[1] |
| Enterprise | T1003 | .002 | OS Credential Dumping:Security Account Manager | CosmicDuke collects Windows account hashes.[1] |
| .004 | OS Credential Dumping:LSA Secrets | CosmicDuke collects LSA secrets.[1] | ||
| Enterprise | T1053 | .005 | Scheduled Task/Job:Scheduled Task | CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.[2] |
| Enterprise | T1113 | Screen Capture | CosmicDuke takes periodic screenshots and exfiltrates them.[2] | |