OLDBAIT

OLDBAIT is a credential harvester used by APT28. [1] [2]

ID: S0138
Associated Software: Sasfis
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping

OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, Eudora, and several email clients.[1]

Enterprise T1036 Masquerading

OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."[1]

Enterprise T1027 Obfuscated Files or Information

OLDBAIT obfuscates internal strings and unpacks them at startup.[1]

Enterprise T1071 Standard Application Layer Protocol

OLDBAIT can use HTTP or SMTP for C2.[1]

Groups That Use This Software

ID Name References
G0007 APT28 [1]

References