GeminiDuke
GeminiDuke is malware that was used by APT29 from 2009 to 2012. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
GeminiDuke uses HTTP and HTTPS for command and control.[1] |
| Enterprise | T1083 | 文件和目录发现 |
GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.[1] |
|
| Enterprise | T1007 | 系统服务发现 |
GeminiDuke collects information on programs and services on the victim that are configured to automatically run at startup.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
GeminiDuke collects information on network settings and Internet proxy settings from the victim.[1] |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account |
GeminiDuke collects information on local user accounts from the victim.[1] |
| Enterprise | T1057 | 进程发现 |
GeminiDuke collects information on running processes and environment variables from the victim.[1] |
|