Register to stream ATT&CKcon 2.0 October 29-30


OLDBAIT is a credential harvester used by APT28. [1] [2]

ID: S0138
Associated Software: Sasfis
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, Eudora, and several email clients. [1]
Enterprise T1036 Masquerading OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o." [1]
Enterprise T1027 Obfuscated Files or Information OLDBAIT obfuscates internal strings and unpacks them at startup. [1]
Enterprise T1071 Standard Application Layer Protocol OLDBAIT can use HTTP or SMTP for C2. [1]

Groups That Use This Software

ID Name References
G0007 APT28 [1]