Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

PinchDuke

PinchDuke is malware that was used by APT29 from 2008 to 2010. [1]

ID: S0048
Aliases: PinchDuke
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1003Credential DumpingPinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, Internet Explorer, Microsoft Outlook, WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).[1]
EnterpriseT1005Data from Local SystemPinchDuke collects user files from the compromised host based on predefined file extensions.[1]
EnterpriseT1083File and Directory DiscoveryPinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.[1]
EnterpriseT1071Standard Application Layer ProtocolPinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.[1]
EnterpriseT1082System Information DiscoveryPinchDuke gathers system configuration information.[1]

Groups

Groups that use this software:

APT29

References