Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Mosquito

Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [1]

ID: S0256
Aliases: Mosquito
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
Mosquito[1]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceMosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.[1]
EnterpriseT1122Component Object Model HijackingMosquito uses COM hijacking as a method of persistence.[1]
EnterpriseT1024Custom Cryptographic ProtocolMosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.[1]
EnterpriseT1106Execution through APIMosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.[1]
EnterpriseT1107File DeletionMosquito deletes files using DeleteFileW API call.[1]
EnterpriseT1112Modify RegistryMosquito stores configuration values under the Registry key HKCU\Software\Microsoft\[dllname] and modifies Registry keys under HKCR\CLSID\...\InprocServer32with a path to the launcher.[1]
EnterpriseT1027Obfuscated Files or InformationMosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.[1]
EnterpriseT1086PowerShellMosquito can launch PowerShell Scripts.[1]
EnterpriseT1057Process DiscoveryMosquito runs tasklist to obtain running processes.[1]
EnterpriseT1060Registry Run Keys / Startup FolderMosquito establishes persistence under the Registry key HKCU\Software\Run auto_update.[1]
EnterpriseT1105Remote File CopyMosquito can upload and download files to the victim.[1]
EnterpriseT1085Rundll32Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.[1]
EnterpriseT1063Security Software DiscoveryMosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.[1]
EnterpriseT1016System Network Configuration DiscoveryMosquito uses the ipconfig command.[1]
EnterpriseT1033System Owner/User DiscoveryMosquito runs whoami on the victim’s machine.[1]
EnterpriseT1047Windows Management InstrumentationMosquito's installer uses WMI to search for antivirus display names.[1]

Groups

Groups that use this software:

Turla

References