Software: CosmicDuke, TinyBaron, ...

From enterprise
Jump to: navigation, search
CosmicDuke, TinyBaron, ...
ID S0050
Aliases CosmicDuke, TinyBaron, BotgenStudios, NemesisGemina
Type Malware

CosmicDuke is malware that was used by APT29 from 2010 to 2015.1

Techniques Used

  • Input Capture - CosmicDuke uses a keylogger and steals clipboard contents from victims.1
  • Data from Local System - CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.2
  • Credential Dumping - CosmicDuke collects user credentials, including passwords, for various programs and browsers, including popular instant messaging applications, Web browsers, and email clients. Windows account hashes, domain accounts, and LSA secrets are also collected, as are WLAN keys.1
  • Screen Capture - CosmicDuke takes periodic screenshots and exfiltrates them.2
  • Scheduled Task - CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.2
  • New Service - CosmicDuke uses Windows services typically named "javamtsup" for persistence.2
  • Data from Removable Media - CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.2
  • Email Collection - CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.2
  • Clipboard Data - CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.2


The following groups use this software: