S0090 Rover
Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. 1
| Item | Value |
|---|---|
| ID | S0090 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 17 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1119 | Automated Collection | Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.1 |
| enterprise | T1020 | Automated Exfiltration | Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Rover persists by creating a Registry entry in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.1 |
| enterprise | T1005 | Data from Local System | Rover searches for files on local drives based on a predefined list of file extensions.1 |
| enterprise | T1025 | Data from Removable Media | Rover searches for files on attached removable drives based on a predefined list of file extensions every five seconds.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Rover copies files from removable drives to C:\system.1 |
| enterprise | T1083 | File and Directory Discovery | Rover automatically searches for files on local drives based on a predefined list of file extensions.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Rover has keylogging functionality.1 |
| enterprise | T1112 | Modify Registry | Rover has functionality to remove Registry Run key persistence as a cleanup procedure.1 |
| enterprise | T1113 | Screen Capture | Rover takes screenshots of the compromised system’s desktop and saves them to C:\system\screenshot.bmp for exfiltration every 60 minutes.1 |