Skip to content

S0256 Mosquito

Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. 1

Item Value
ID S0256
Associated Names
Version 1.2
Created 17 October 2018
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Mosquito establishes persistence under the Registry key HKCU\Software\Run auto_update.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Mosquito can launch PowerShell Scripts.1
enterprise T1059.003 Windows Command Shell Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.015 Component Object Model Hijacking Mosquito uses COM hijacking as a method of persistence.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Mosquito deletes files using DeleteFileW API call.1
enterprise T1105 Ingress Tool Transfer Mosquito can upload and download files to the victim.1
enterprise T1112 Modify Registry Mosquito can modify Registry keys under HKCU\Software\Microsoft[dllname] to store configuration values. Mosquito also modifies Registry keys under HKCR\CLSID...\InprocServer32 with a path to the launcher.1
enterprise T1106 Native API Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.1
enterprise T1027 Obfuscated Files or Information Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.1
enterprise T1027.011 Fileless Storage Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft[dllname].1
enterprise T1057 Process Discovery Mosquito runs tasklist to obtain running processes.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Mosquito‘s installer searches the Registry and system to see if specific antivirus tools are installed on the system.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Mosquito‘s launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.1
enterprise T1016 System Network Configuration Discovery Mosquito uses the ipconfig command.1
enterprise T1033 System Owner/User Discovery Mosquito runs whoami on the victim’s machine.1
enterprise T1047 Windows Management Instrumentation Mosquito‘s installer uses WMI to search for antivirus display names.1

Groups That Use This Software

ID Name References
G0010 Turla 123