Skip to content

S0049 GeminiDuke

GeminiDuke is malware that was used by APT29 from 2009 to 2012. 1

Item Value
ID S0049
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account GeminiDuke collects information on local user accounts from the victim.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols GeminiDuke uses HTTP and HTTPS for command and control.1
enterprise T1083 File and Directory Discovery GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user’s home folder, files and folders present in any user’s My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.1
enterprise T1057 Process Discovery GeminiDuke collects information on running processes and environment variables from the victim.1
enterprise T1016 System Network Configuration Discovery GeminiDuke collects information on network settings and Internet proxy settings from the victim.1
enterprise T1007 System Service Discovery GeminiDuke collects information on programs and services on the victim that are configured to automatically run at startup.1

Groups That Use This Software

ID Name References
G0016 APT29 1

References

Back to top