Rover
Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1119 | Automated Collection |
Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.[1] |
|
| Enterprise | T1020 | Automated Exfiltration |
Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.[1] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Rover persists by creating a Registry entry in |
| Enterprise | T1005 | Data from Local System |
Rover searches for files on local drives based on a predefined list of file extensions.[1] |
|
| Enterprise | T1025 | Data from Removable Media |
Rover searches for files on attached removable drives based on a predefined list of file extensions every five seconds.[1] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging | |
| Enterprise | T1083 | File and Directory Discovery |
Rover automatically searches for files on local drives based on a predefined list of file extensions.[1] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1112 | Modify Registry |
Rover has functionality to remove Registry Run key persistence as a cleanup procedure.[1] |
|
| Enterprise | T1113 | Screen Capture |
Rover takes screenshots of the compromised system's desktop and saves them to |
|