Software: Prikormka

From enterprise
Jump to: navigation, search
Prikormka
Software
ID S0113
Aliases Prikormka
Type Malware
Platform Windows

Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008.1

Techniques Used

  • DLL Search Order Hijacking - Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.1
  • Rundll32 - Prikormka uses rundll32.exe to load its DLL.1
  • Data Staged - Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.1
  • Data from Removable Media - Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB.1
  • Data Compressed - After collecting documents from removable media, Prikormka compresses the collected files.1
  • Data Encrypted - After collecting files and logs from the victim, Prikormka encrypts some collected data with Blowfish.1
  • Input Capture - Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.1
  • Screen Capture - Prikormka contains a module that captures screenshots of the victim's desktop.1
  • Indicator Removal on Host - After encrypting log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.1
  • System Information Discovery - A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.1
  • Credential Dumping - A module in Prikormka collects passwords stored in applications installed on the victim.1
  • Credentials in Files - A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.1
  • File and Directory Discovery - A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.1