CosmicDuke

CosmicDuke is malware that was used by APT29 from 2010 to 2015. [1]

ID: S0050
Associated Software: TinyBaron, BotgenStudios, NemesisGemina
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 28 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.[1][2]

Enterprise T1020 Automated Exfiltration

CosmicDuke exfiltrates collected files automatically over FTP to remote servers.[2]

Enterprise T1115 Clipboard Data

CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[2]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

CosmicDuke uses Windows services typically named "javamtsup" for persistence.[2]

Enterprise T1555 Credentials from Password Stores

CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.[1]

.003 Credentials from Web Browsers

CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.[1]

Enterprise T1005 Data from Local System

CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.[2]

Enterprise T1039 Data from Network Shared Drive

CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.[2]

Enterprise T1025 Data from Removable Media

CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.[2]

Enterprise T1114 .001 Email Collection: Local Email Collection

CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.[2]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.[2]

Enterprise T1068 Exploitation for Privilege Escalation

CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.[1]

Enterprise T1083 File and Directory Discovery

CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[2]

Enterprise T1056 .001 Input Capture: Keylogging

CosmicDuke uses a keylogger.[1]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

CosmicDuke collects Windows account hashes.[1]

.004 OS Credential Dumping: LSA Secrets

CosmicDuke collects LSA secrets.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.[2]

Enterprise T1113 Screen Capture

CosmicDuke takes periodic screenshots and exfiltrates them.[2]

Groups That Use This Software

ID Name References
G0016 APT29

[1][3]

References