Mosquito

Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [1]

ID: S0256
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.[1]

Enterprise T1122 Component Object Model Hijacking

Mosquito uses COM hijacking as a method of persistence.[1]

Enterprise T1024 Custom Cryptographic Protocol

Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.[1]

Enterprise T1106 Execution through API

Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.[1]

Enterprise T1107 File Deletion

Mosquito deletes files using DeleteFileW API call.[1]

Enterprise T1112 Modify Registry

Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname] and modifies Registry keys under HKCR\CLSID...\InprocServer32with a path to the launcher.[1]

Enterprise T1027 Obfuscated Files or Information

Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.[1]

Enterprise T1086 PowerShell

Mosquito can launch PowerShell Scripts.[1]

Enterprise T1057 Process Discovery

Mosquito runs tasklist to obtain running processes.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Mosquito establishes persistence under the Registry key HKCU\Software\Run auto_update.[1]

Enterprise T1105 Remote File Copy

Mosquito can upload and download files to the victim.[1]

Enterprise T1085 Rundll32

Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.[1]

Enterprise T1063 Security Software Discovery

Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.[1]

Enterprise T1016 System Network Configuration Discovery

Mosquito uses the ipconfig command.[1]

Enterprise T1033 System Owner/User Discovery

Mosquito runs whoami on the victim’s machine.[1]

Enterprise T1047 Windows Management Instrumentation

Mosquito's installer uses WMI to search for antivirus display names.[1]

Groups That Use This Software

ID Name References
G0010 Turla [1] [2]

References