Skip to content

Hide Navigation Hide TOC

Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38)

Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)

Cluster A Galaxy A Cluster B Galaxy B Level
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware 1
Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware 1
Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware 1
Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware 1
Rover (53e94bc9-c8d2-4fb6-9c02-00841e454050) Malpedia Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware 1
Rover - S0090 (6b616fc1-1505-48e3-8b2c-0d19337bff38) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2