Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [1]

ID: S0256
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Mosquito establishes persistence under the Registry key HKCU\Software\Run auto_update.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Mosquito can launch PowerShell Scripts.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.[1]

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

Mosquito uses COM hijacking as a method of persistence.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Mosquito deletes files using DeleteFileW API call.[1]

Enterprise T1105 Ingress Tool Transfer

Mosquito can upload and download files to the victim.[1]

Enterprise T1112 Modify Registry

Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname] and modifies Registry keys under HKCR\CLSID...\InprocServer32with a path to the launcher.[1]

Enterprise T1106 Native API

Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.[1]

Enterprise T1027 Obfuscated Files or Information

Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.[1]

Enterprise T1057 Process Discovery

Mosquito runs tasklist to obtain running processes.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.[1]

Enterprise T1016 System Network Configuration Discovery

Mosquito uses the ipconfig command.[1]

Enterprise T1033 System Owner/User Discovery

Mosquito runs whoami on the victim’s machine.[1]

Enterprise T1047 Windows Management Instrumentation

Mosquito's installer uses WMI to search for antivirus display names.[1]

Groups That Use This Software

ID Name References
G0010 Turla