S0049 GeminiDuke
GeminiDuke is malware that was used by APT29 from 2009 to 2012. 1
| Item | Value |
|---|---|
| ID | S0049 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | GeminiDuke collects information on local user accounts from the victim.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | GeminiDuke uses HTTP and HTTPS for command and control.1 |
| enterprise | T1083 | File and Directory Discovery | GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user’s home folder, files and folders present in any user’s My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.1 |
| enterprise | T1057 | Process Discovery | GeminiDuke collects information on running processes and environment variables from the victim.1 |
| enterprise | T1016 | System Network Configuration Discovery | GeminiDuke collects information on network settings and Internet proxy settings from the victim.1 |
| enterprise | T1007 | System Service Discovery | GeminiDuke collects information on programs and services on the victim that are configured to automatically run at startup.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 1 |