OLDBAIT

OLDBAIT is a credential harvester used by APT28. ^[1] ^[2]

ID: S0138

ⓘ

Associated Software: Sasfis

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 26 March 2023

Techniques Used

Domain	ID		Name	Use
Enterprise	T1555		从密码存储中获取凭证	OLDBAIT collects credentials from several email clients.^[1]
		.003	Credentials from Web Browsers	OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.^[1]
Enterprise	T1036	.005	伪装: Match Legitimate Name or Location	OLDBAIT installs itself in `%ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe`; the directory name is missing a space and the file name is missing the letter "o."^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	OLDBAIT can use HTTP for C2.^[1]
		.003	应用层协议: Mail Protocols	OLDBAIT can use SMTP for C2.^[1]
Enterprise	T1027		混淆文件或信息	OLDBAIT obfuscates internal strings and unpacks them at startup.^[1]

Groups That Use This Software

ID	Name	References
G0007	APT28	^[1]

References

FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.

FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.