| ID | E1056 |
| Objective(s) | Collection, Credential Access |
| Related ATT&CK Techniques | Input Capture (T1056, T1417) |
| Version | 2.1 |
| Created | 1 August 2019 |
| Last Modified | 13 September 2023 |
Malware captures user input.
See ATT&CK: Input Capture (T1056, T1417).
| Name | ID | Description |
|---|---|---|
| Mouse Events | E1056.m01 | Mouse events are captured. |
| Name | Date | Method | Description |
|---|---|---|---|
| Rombertik | 2015 | -- | The malware injects itself into a browser and captures user input data. [1] |
| Ursnif | 2016 | -- | The malware injects HTML into a browser session to collect sensitive online banking information when the victim performs their online banking. [2] |
| Poison Ivy | 2005 | -- | Poison Ivy can capture audio and video. [4] |
| Clipminer | 2011 | -- | Clipminer monitors keyboard and mouse activity to determine if the machine is in use. [5] |
| ElectroRAT | 2020 | -- | ElectroRat monitors keyboard and mouse activity to determine whether the machine is in use. [6] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| use .NET library SharpClipboard | Input Capture (E1056) |
[1] https://blogs.cisco.com/security/talos/rombertik
[2] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279
[3] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
[4] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/poison-ivy
[5] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf
[6] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/