PolyglotDuke
PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1112 | 修改注册表 |
PolyglotDuke can write encrypted JSON configuration files to the Registry.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
PolyglotDuke has has used HTTP GET requests in C2 communications.[1] |
| Enterprise | T1106 | 本机API |
PolyglotDuke can use |
|
| Enterprise | T1027 | 混淆文件或信息 |
PolyglotDuke can custom encrypt strings.[1] |
|
| .003 | Steganography |
PolyglotDuke can use steganography to hide C2 information in images.[1] |
||
| .011 | Fileless Storage |
PolyglotDuke can store encrypted JSON configuration files in the Registry.[1] |
||
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
PolyglotDuke can be executed using rundll32.exe.[1] |
| Enterprise | T1102 | .001 | 网络服务: Dead Drop Resolver |
PolyglotDuke can use Twitter, Reddit, Imgur and other websites to get a C2 URL.[1] |
| Enterprise | T1105 | 输入工具传输 |
PolyglotDuke can retrieve payloads from the C2 server.[1] |
|
Groups That Use This Software
Campaigns
| ID | Name | Description |
|---|---|---|
| C0023 | Operation Ghost |
For Operation Ghost, APT29 used PolyglotDuke as a first-stage downloader.[1] |