S0138 OLDBAIT
OLDBAIT is a credential harvester used by APT28. 2 1
| Item | Value |
|---|---|
| ID | S0138 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | OLDBAIT can use HTTP for C2.2 |
| enterprise | T1071.003 | Mail Protocols | OLDBAIT can use SMTP for C2.2 |
| enterprise | T1555 | Credentials from Password Stores | OLDBAIT collects credentials from several email clients.2 |
| enterprise | T1555.003 | Credentials from Web Browsers | OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter “o.”2 |
| enterprise | T1027 | Obfuscated Files or Information | OLDBAIT obfuscates internal strings and unpacks them at startup.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 2 |