MiniDuke
ID: S0051
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 14 October 2021
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | .001 | 代理: Internal Proxy |
MiniDuke can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines.[2] |
| Enterprise | T1568 | .002 | 动态解析: Domain Generation Algorithms |
MiniDuke can use DGA to generate new Twitter URLs for C2.[2] |
| Enterprise | T1008 | 回退信道 |
MiniDuke uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working.[3] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1027 | 混淆文件或信息 |
MiniDuke can use control flow flattening to obscure code.[2] |
|
| Enterprise | T1082 | 系统信息发现 |
MiniDuke can gather the hostname on a compromised machine.[2] |
|
| Enterprise | T1102 | .001 | 网络服务: Dead Drop Resolver |
Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.[1][3][2] |
| Enterprise | T1105 | 输入工具传输 |
MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[3][2] |
|
Groups That Use This Software
Campaigns
| ID | Name | Description |
|---|---|---|
| C0023 | Operation Ghost |
For Operation Ghost, APT29 used MiniDuke as a second-stage backdoor.[2] |