Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. [1]

ID: S0113
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1003Credential DumpingA module in Prikormka collects passwords stored in applications installed on the victim.[1]
EnterpriseT1081Credentials in FilesA module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.[1]
EnterpriseT1002Data CompressedAfter collecting documents from removable media, Prikormka compresses the collected files.[1]
EnterpriseT1132Data EncodingPrikormka encodes C2 traffic with Base64.[1]
EnterpriseT1022Data EncryptedAfter collecting files and logs from the victim, Prikormka encrypts some collected data with Blowfish.[1]
EnterpriseT1025Data from Removable MediaPrikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB.[1]
EnterpriseT1074Data StagedPrikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.[1]
EnterpriseT1038DLL Search Order HijackingPrikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.[1]
EnterpriseT1083File and Directory DiscoveryA module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.[1]
EnterpriseT1070Indicator Removal on HostAfter encrypting log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.[1]
EnterpriseT1056Input CapturePrikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.[1]
EnterpriseT1027Obfuscated Files or InformationSome resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.[1]
EnterpriseT1120Peripheral Device DiscoveryA module in Prikormka collects information on available printers and disk drives.[1]
EnterpriseT1060Registry Run Keys / Startup FolderPrikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.[1]
EnterpriseT1085Rundll32Prikormka uses rundll32.exe to load its DLL.[1]
EnterpriseT1113Screen CapturePrikormka contains a module that captures screenshots of the victim's desktop.[1]
EnterpriseT1063Security Software DiscoveryA module in Prikormka collects information from the victim about installed anti-virus software.[1]
EnterpriseT1032Standard Cryptographic ProtocolPrikormka encrypts some C2 traffic with the Blowfish cipher.[1]
EnterpriseT1082System Information DiscoveryA module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.[1]
EnterpriseT1016System Network Configuration DiscoveryA module in Prikormka collects information from the victim about its IP addresses and MAC addresses.[1]
EnterpriseT1033System Owner/User DiscoveryA module in Prikormka collects information from the victim about the current user name.[1]