Register to stream ATT&CKcon 2.0 October 29-30


Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [1]

ID: S0256
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server. [1]
Enterprise T1122 Component Object Model Hijacking Mosquito uses COM hijacking as a method of persistence. [1]
Enterprise T1024 Custom Cryptographic Protocol Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm. [1]
Enterprise T1106 Execution through API Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions. [1]
Enterprise T1107 File Deletion Mosquito deletes files using DeleteFileW API call. [1]
Enterprise T1112 Modify Registry Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname] and modifies Registry keys under HKCR\CLSID...\InprocServer32with a path to the launcher. [1]
Enterprise T1027 Obfuscated Files or Information Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer. [1]
Enterprise T1086 PowerShell Mosquito can launch PowerShell Scripts. [1]
Enterprise T1057 Process Discovery Mosquito runs tasklist to obtain running processes. [1]
Enterprise T1060 Registry Run Keys / Startup Folder Mosquito establishes persistence under the Registry key HKCU\Software\Run auto_update. [1]
Enterprise T1105 Remote File Copy Mosquito can upload and download files to the victim. [1]
Enterprise T1085 Rundll32 Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability. [1]
Enterprise T1063 Security Software Discovery Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system. [1]
Enterprise T1016 System Network Configuration Discovery Mosquito uses the ipconfig command. [1]
Enterprise T1033 System Owner/User Discovery Mosquito runs whoami on the victim’s machine. [1]
Enterprise T1047 Windows Management Instrumentation Mosquito's installer uses WMI to search for antivirus display names. [1]

Groups That Use This Software

ID Name References
G0010 Turla [1] [2]