| ID | F0002 |
| Objective(s) | Collection, Credential Access |
| Related ATT&CK Techniques | Input Capture: Keylogging (T1056.001, T1417.001) |
| Version | 2.0 |
| Created | 14 August 2020 |
| Last Modified | 13 September 2023 |
Malware captures user keyboard input.
See ATT&CK: Input Capture: Keylogging (T1056.001, T1417.001)
| Name | ID | Description |
|---|---|---|
| Application Hook | F0002.001 | Keystrokes are captured with an application hook. |
| Polling | F0002.002 | Keystrokes are captured via polling (e.g., user32.GetAsyncKeyState, user32.GetKeyState). |
| Name | Date | Method | Description |
|---|---|---|---|
| Hupigon | 2013 | -- | Certain variants of the malware may have keylogging functionality. [1] |
| Hupigon | 2013 | F0002.002 | Malware logs keystrokes via polling. [9] |
| UP007 | 2016 | -- | The malware logs keystrokes to a file. [2] |
| BlackEnergy | 2007 | -- | BlackEnergy's keylogger plugin allows for the collection of keystrokes. [3] |
| DarkComet | 2008 | -- | DarkComet can capture keystrokes. [4] |
| Dark Comet | 2008 | F0002.002 | Malware logs keystrokes via polling. [9] |
| Poison Ivy | 2005 | -- | Poison Ivy can capture keystrokes. [5] |
| CHOPSTICK | 2015 | -- | CHOPSTICK collects user keystrokes. [6] |
| Kovter | 2016 | F0002.002 | Malware logs keystrokes via polling. [9] |
| Redhip | 2011 | F0002.001 | Malware logs keystrokes via application hook. [9] |
| Redhip | 2011 | F0002.002 | Malware logs keystrokes via polling. [9] |
| Rombertik | 2015 | F0002.002 | Malware logs keystrokes via polling. [9] |
| Ursnif | 2016 | F0002.002 | Malware logs keystrokes via polling. [9] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| log keystrokes via polling | Keylogging::Polling (F0002.002) | user32.GetAsyncKeyState, user32.GetKeyState, user32.GetKeyboardState, user32.VkKeyScan, user32.VkKeyScanEx, user32.GetKeyNameText |
| log keystrokes via application hook | Keylogging::Application Hook (F0002.001) |
[1] https://www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml
[2] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/
[3] https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/
[4] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[5] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
[6] https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
[7] capa v4.0, analyzed at MITRE on 10/12/2022
[8] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf
[9] capa v4.0, analyzed at MITRE on 10/12/2022