Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. CosmicDuke

CosmicDuke

CosmicDuke is malware that was used by APT29 from 2010 to 2015. [1]

ID: S0050
Associated Software: TinyBaron, BotgenStudios, NemesisGemina
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 28 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.[1][2]
Enterprise T1020 Automated Exfiltration

CosmicDuke exfiltrates collected files automatically over FTP to remote servers.[2]
Enterprise T1115 Clipboard Data

CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[2]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

CosmicDuke uses Windows services typically named "javamtsup" for persistence.[2]
Enterprise T1555 Credentials from Password Stores

CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.[1]
.003 Credentials from Web Browsers

CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.[1]
Enterprise T1005 Data from Local System

CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.[2]
Enterprise T1039 Data from Network Shared Drive

CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.[2]
Enterprise T1025 Data from Removable Media

CosmicDuke steals user files from removable media with file extensions and keywords that match a predefined list.[2]
Enterprise T1114 .001 Email Collection: Local Email Collection

CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.[2]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.[2]
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.[2]
Enterprise T1068 Exploitation for Privilege Escalation

CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.[1]
Enterprise T1083 File and Directory Discovery

CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.[2]
Enterprise T1056 .001 Input Capture: Keylogging

CosmicDuke uses a keylogger.[1]
Enterprise T1003 .004 OS Credential Dumping: LSA Secrets

CosmicDuke collects LSA secrets.[1]
.002 OS Credential Dumping: Security Account Manager

CosmicDuke collects Windows account hashes.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.[2]
Enterprise T1113 Screen Capture

CosmicDuke takes periodic screenshots and exfiltrates them.[2]

Groups That Use This Software

ID Name References
G0016 APT29

[1]

References

  1. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  1. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.