Skip to content

S0050 CosmicDuke

CosmicDuke is malware that was used by APT29 from 2010 to 2015. 1

Item Value
ID S0050
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 28 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.12
enterprise T1020 Automated Exfiltration CosmicDuke exfiltrates collected files automatically over FTP to remote servers.2
enterprise T1115 Clipboard Data CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service CosmicDuke uses Windows services typically named “javamtsup” for persistence.2
enterprise T1555 Credentials from Password Stores CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.1
enterprise T1555.003 Credentials from Web Browsers CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.1
enterprise T1005 Data from Local System CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.2
enterprise T1039 Data from Network Shared Drive CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.2
enterprise T1025 Data from Removable Media CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.2
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.2
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.2
enterprise T1068 Exploitation for Privilege Escalation CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.1
enterprise T1083 File and Directory Discovery CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging CosmicDuke uses a keylogger.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager CosmicDuke collects Windows account hashes.1
enterprise T1003.004 LSA Secrets CosmicDuke collects LSA secrets.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task CosmicDuke uses scheduled tasks typically named “Watchmon Service” for persistence.2
enterprise T1113 Screen Capture CosmicDuke takes periodic screenshots and exfiltrates them.2

Groups That Use This Software

ID Name References
G0016 APT29 13

References

Back to top