S0051 MiniDuke
MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. 1
| Item | Value |
|---|---|
| ID | S0051 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 31 May 2017 |
| Last Modified | 14 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | MiniDuke uses HTTP and HTTPS for command and control.12 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | MiniDuke can use DGA to generate new Twitter URLs for C2.2 |
| enterprise | T1008 | Fallback Channels | MiniDuke uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working.3 |
| enterprise | T1083 | File and Directory Discovery | MiniDuke can enumerate local drives.2 |
| enterprise | T1105 | Ingress Tool Transfer | MiniDuke can download additional encrypted backdoors onto the victim via GIF files.32 |
| enterprise | T1027 | Obfuscated Files or Information | MiniDuke can use control flow flattening to obscure code.2 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.001 | Internal Proxy | MiniDuke can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines.2 |
| enterprise | T1082 | System Information Discovery | MiniDuke can gather the hostname on a compromised machine.2 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.132 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 124 |
References
-
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. ↩↩↩↩
-
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. ↩↩↩↩↩↩↩↩↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017. ↩↩↩
-
Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. ↩