Register to stream ATT&CKcon 2.0 October 29-30

CosmicDuke

CosmicDuke is malware that was used by APT29 from 2010 to 2015. [1]

ID: S0050
Associated Software: TinyBaron, BotgenStudios, NemesisGemina
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1020 Automated Exfiltration CosmicDuke exfiltrates collected files automatically over FTP to remote servers. [2]
Enterprise T1115 Clipboard Data CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds. [2]
Enterprise T1003 Credential Dumping CosmicDuke collects user credentials, including passwords, for various programs and browsers, including popular instant messaging applications, Web browsers, and email clients. Windows account hashes, domain accounts, and LSA secrets are also collected, as are WLAN keys. [1]
Enterprise T1024 Custom Cryptographic Protocol CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error. [2]
Enterprise T1005 Data from Local System CosmicDuke steals user files from local hard drives with file extensions that match a predefined list. [2]
Enterprise T1039 Data from Network Shared Drive CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list. [2]
Enterprise T1025 Data from Removable Media CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list. [2]
Enterprise T1114 Email Collection CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration. [2]
Enterprise T1048 Exfiltration Over Alternative Protocol CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers. [2]
Enterprise T1068 Exploitation for Privilege Escalation CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398. [1]
Enterprise T1083 File and Directory Discovery CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list. [2]
Enterprise T1056 Input Capture CosmicDuke uses a keylogger and steals clipboard contents from victims. [1]
Enterprise T1050 New Service CosmicDuke uses Windows services typically named "javamtsup" for persistence. [2]
Enterprise T1053 Scheduled Task CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence. [2]
Enterprise T1113 Screen Capture CosmicDuke takes periodic screenshots and exfiltrates them. [2]
Enterprise T1071 Standard Application Layer Protocol CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers. [1] [2]

Groups That Use This Software

ID Name References
G0016 APT29 [1]

References