Register to stream the next session of ATT&CKcon Power Hour December 11

SOFTWARE

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Desert Scorpion

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Desert Scorpion

E-F

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

PinchDuke

PinchDuke is malware that was used by APT29 from 2008 to 2010. ^[1]

ID: S0048

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.^[1]
Enterprise	T1555		Credentials from Password Stores	PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook.^[1]
		.003	Credentials from Web Browsers	PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer. ^[1]
Enterprise	T1005		Data from Local System	PinchDuke collects user files from the compromised host based on predefined file extensions.^[1]
Enterprise	T1083		File and Directory Discovery	PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.^[1]
Enterprise	T1003		OS Credential Dumping	PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).^[1]
Enterprise	T1082		System Information Discovery	PinchDuke gathers system configuration information.^[1]

Groups That Use This Software

ID	Name	References
G0016	APT29	^[1]

References

F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.