| ID | E1113 |
| Objective(s) | Collection, Credential Access |
| Related ATT&CK Techniques | Screen Capture (T1113) |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 21 November 2022 |
Malware takes screen captures of the desktop.
See ATT&CK: Screen Capture (T1113).
| Name | ID | Description |
|---|---|---|
| WinAPI | E1113.m01 | Screen is captured using WinAPI functions (e.g., user32.GetDesktopWindow). |
| Name | Date | Method | Description |
|---|---|---|---|
| GotBotKR | 2019 | -- | GoBotKR is capable of capturing screenshots. [1] |
| BlackEnergy | 2007 | -- | Screenshot plugin allows for collection of screenshots [2] |
| DarkComet | 2008 | -- | Can take screenshots of victim's computer [3] |
| CHOPSTICK | 2015 | -- | CHOPSTICK takes snapshots of deskop and window contents [4] |
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/
[3] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[4] https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf