S0048 PinchDuke
PinchDuke is malware that was used by APT29 from 2008 to 2010.
| Item |
Value |
| ID |
S0048 |
| Associated Names |
|
| Type |
MALWARE |
| Version |
1.1 |
| Created |
31 May 2017 |
| Last Modified |
30 March 2020 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server. |
| enterprise |
T1555 |
Credentials from Password Stores |
PinchDuke steals credentials from compromised hosts. PinchDuke‘s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook. |
| enterprise |
T1555.003 |
Credentials from Web Browsers |
PinchDuke steals credentials from compromised hosts. PinchDuke‘s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer. |
| enterprise |
T1005 |
Data from Local System |
PinchDuke collects user files from the compromised host based on predefined file extensions. |
| enterprise |
T1083 |
File and Directory Discovery |
PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list. |
| enterprise |
T1003 |
OS Credential Dumping |
PinchDuke steals credentials from compromised hosts. PinchDuke‘s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP). |
| enterprise |
T1082 |
System Information Discovery |
PinchDuke gathers system configuration information. |
Groups That Use This Software
References