OLDBAIT is a credential harvester used by APT28. [1] [2]

ID: S0138
Associated Software: Sasfis
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 19 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OLDBAIT can use HTTP for C2.[1]

.003 Application Layer Protocol: Mail Protocols

OLDBAIT can use SMTP for C2.[1]

Enterprise T1555 Credentials from Password Stores

OLDBAIT collects credentials from several email clients.[1]

.003 Credentials from Web Browsers

OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."[1]

Enterprise T1027 Obfuscated Files or Information

OLDBAIT obfuscates internal strings and unpacks them at startup.[1]

Groups That Use This Software

ID Name References
G0007 APT28