S0050 CosmicDuke
CosmicDuke is malware that was used by APT29 from 2010 to 2015. 1
| Item | Value |
|---|---|
| ID | S0050 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 28 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.12 |
| enterprise | T1020 | Automated Exfiltration | CosmicDuke exfiltrates collected files automatically over FTP to remote servers.2 |
| enterprise | T1115 | Clipboard Data | CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | CosmicDuke uses Windows services typically named “javamtsup” for persistence.2 |
| enterprise | T1555 | Credentials from Password Stores | CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.1 |
| enterprise | T1555.003 | Credentials from Web Browsers | CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.1 |
| enterprise | T1005 | Data from Local System | CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.2 |
| enterprise | T1039 | Data from Network Shared Drive | CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.2 |
| enterprise | T1025 | Data from Removable Media | CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.2 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.2 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.2 |
| enterprise | T1068 | Exploitation for Privilege Escalation | CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.1 |
| enterprise | T1083 | File and Directory Discovery | CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | CosmicDuke uses a keylogger.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.002 | Security Account Manager | CosmicDuke collects Windows account hashes.1 |
| enterprise | T1003.004 | LSA Secrets | CosmicDuke collects LSA secrets.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | CosmicDuke uses scheduled tasks typically named “Watchmon Service” for persistence.2 |
| enterprise | T1113 | Screen Capture | CosmicDuke takes periodic screenshots and exfiltrates them.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 13 |
References
-
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. ↩↩↩↩↩↩↩↩↩
-
F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. ↩