Rover

Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. [1]

ID: S0090
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 17 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.[1]

Enterprise T1020 Automated Exfiltration

Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Rover persists by creating a Registry entry in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.[1]

Enterprise T1005 Data from Local System

Rover searches for files on local drives based on a predefined list of file extensions.[1]

Enterprise T1025 Data from Removable Media

Rover searches for files on attached removable drives based on a predefined list of file extensions every five seconds.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Rover copies files from removable drives to C:\system.[1]

Enterprise T1083 File and Directory Discovery

Rover automatically searches for files on local drives based on a predefined list of file extensions.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Rover has keylogging functionality.[1]

Enterprise T1112 Modify Registry

Rover has functionality to remove Registry Run key persistence as a cleanup procedure.[1]

Enterprise T1113 Screen Capture

Rover takes screenshots of the compromised system's desktop and saves them to C:\system\screenshot.bmp for exfiltration every 60 minutes.[1]

References