S0256 Mosquito
Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. 1
| Item | Value |
|---|---|
| ID | S0256 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Mosquito establishes persistence under the Registry key HKCU\Software\Run auto_update.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Mosquito can launch PowerShell Scripts.1 |
| enterprise | T1059.003 | Windows Command Shell | Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.015 | Component Object Model Hijacking | Mosquito uses COM hijacking as a method of persistence.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Mosquito deletes files using DeleteFileW API call.1 |
| enterprise | T1105 | Ingress Tool Transfer | Mosquito can upload and download files to the victim.1 |
| enterprise | T1112 | Modify Registry | Mosquito can modify Registry keys under HKCU\Software\Microsoft[dllname] to store configuration values. Mosquito also modifies Registry keys under HKCR\CLSID...\InprocServer32 with a path to the launcher.1 |
| enterprise | T1106 | Native API | Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.1 |
| enterprise | T1027 | Obfuscated Files or Information | Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.1 |
| enterprise | T1027.011 | Fileless Storage | Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname].1 |
| enterprise | T1057 | Process Discovery | Mosquito runs tasklist to obtain running processes.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Mosquito‘s installer searches the Registry and system to see if specific antivirus tools are installed on the system.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Mosquito‘s launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.1 |
| enterprise | T1016 | System Network Configuration Discovery | Mosquito uses the ipconfig command.1 |
| enterprise | T1033 | System Owner/User Discovery | Mosquito runs whoami on the victim’s machine.1 |
| enterprise | T1047 | Windows Management Instrumentation | Mosquito‘s installer uses WMI to search for antivirus display names.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 123 |
References
-
ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018. ↩
-
Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022. ↩