Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Mosquito

Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. (Citation: ESET Turla Mosquito Jan 2018)
ID: S0256
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 17 Oct 2018
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Mosquito establishes persistence under the Registry key HKCU\Software\Run auto_update.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Mosquito can launch PowerShell Scripts.(Citation: ESET Turla Mosquito Jan 2018)

.003 Command and Scripting Interpreter: Windows Command Shell

Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

Mosquito uses COM hijacking as a method of persistence.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1070 .004 Indicator Removal: File Deletion

Mosquito deletes files using DeleteFileW API call.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1027 .011 Obfuscated Files or Information: Fileless Storage

Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft\[dllname].(Citation: ESET Turla Mosquito Jan 2018)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.(Citation: ESET Turla Mosquito Jan 2018)

Groups That Use This Software

ID Name References
G0010 Turla

(Citation: ESET Turla Mosquito Jan 2018) (Citation: ESET Turla Mosquito May 2018) (Citation: Secureworks IRON HUNTER Profile)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.