PinchDuke
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1003 | Credential Dumping |
PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, Internet Explorer, Microsoft Outlook, WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).[1] |
| Enterprise | T1005 | Data from Local System |
PinchDuke collects user files from the compromised host based on predefined file extensions.[1] |
| Enterprise | T1083 | File and Directory Discovery |
PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.[1] |
| Enterprise | T1071 | Standard Application Layer Protocol |
PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.[1] |
| Enterprise | T1082 | System Information Discovery |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | [1] |