Rover

Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. [1]

ID: S0090
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1119Automated CollectionRover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.[1]
EnterpriseT1020Automated ExfiltrationRover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.[1]
EnterpriseT1005Data from Local SystemRover searches for files on local drives based on a predefined list of file extensions.[1]
EnterpriseT1025Data from Removable MediaRover searches for files on attached removable drives based on a predefined list of file extensions every five seconds.[1]
EnterpriseT1074Data StagedRover copies files from removable drives to C:\system.[1]
EnterpriseT1083File and Directory DiscoveryRover automatically searches for files on local drives based on a predefined list of file extensions.[1]
EnterpriseT1056Input CaptureRover has keylogging functionality.[1]
EnterpriseT1112Modify RegistryRover has functionality to remove Registry Run key persistence as a cleanup procedure.[1]
EnterpriseT1060Registry Run Keys / Startup FolderRover persists by creating a Registry entry in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.[1]
EnterpriseT1113Screen CaptureRover takes screenshots of the compromised system's desktop and saves them to C:\system\screenshot.bmp for exfiltration every 60 minutes.[1]

References