Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

OLDBAIT

OLDBAIT is a credential harvester used by APT28. [1] [2]

ID: S0138
Aliases: OLDBAIT, Sasfis
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1003Credential DumpingOLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, Eudora, and several email clients.[1]
EnterpriseT1036MasqueradingOLDBAIT installs itself in %ALLUSERPROFILE%\\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."[1]
EnterpriseT1027Obfuscated Files or InformationOLDBAIT obfuscates internal strings and unpacks them at startup.[1]
EnterpriseT1071Standard Application Layer ProtocolOLDBAIT can use HTTP or SMTP for C2.[1]

Groups

Groups that use this software:

APT28

References