CosmicDuke is malware that was used by APT29 from 2010 to 2015. [1]

ID: S0050
Associated Software: TinyBaron, BotgenStudios, NemesisGemina

Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1020Automated ExfiltrationCosmicDuke exfiltrates collected files automatically over FTP to remote servers.[2]
EnterpriseT1115Clipboard DataCosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[2]
EnterpriseT1003Credential DumpingCosmicDuke collects user credentials, including passwords, for various programs and browsers, including popular instant messaging applications, Web browsers, and email clients. Windows account hashes, domain accounts, and LSA secrets are also collected, as are WLAN keys.[1]
EnterpriseT1024Custom Cryptographic ProtocolCosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.[2]
EnterpriseT1005Data from Local SystemCosmicDuke steals user files from local hard drives with file extensions that match a predefined list.[2]
EnterpriseT1039Data from Network Shared DriveCosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.[2]
EnterpriseT1025Data from Removable MediaCosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.[2]
EnterpriseT1114Email CollectionCosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[2]
EnterpriseT1048Exfiltration Over Alternative ProtocolCosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.[2]
EnterpriseT1068Exploitation for Privilege EscalationCosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.[1]
EnterpriseT1083File and Directory DiscoveryCosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[2]
EnterpriseT1056Input CaptureCosmicDuke uses a keylogger and steals clipboard contents from victims.[1]
EnterpriseT1050New ServiceCosmicDuke uses Windows services typically named "javamtsup" for persistence.[2]
EnterpriseT1053Scheduled TaskCosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.[2]
EnterpriseT1113Screen CaptureCosmicDuke takes periodic screenshots and exfiltrates them.[2]
EnterpriseT1071Standard Application Layer ProtocolCosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.[1][2]


Groups that use this software: