Skip to content

S0139 PowerDuke

PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. 1

Item Value
ID S0139
Associated Names
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1010 Application Window Discovery PowerDuke has a command to get text of the current foreground window.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder PowerDuke achieves persistence by using various Registry Run keys.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell PowerDuke runs cmd.exe /c and sends the output to its C2.1
enterprise T1485 Data Destruction PowerDuke has a command to write random data across a file and delete it.1
enterprise T1083 File and Directory Discovery PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.1
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes PowerDuke hides many of its backdoor payloads in an alternate data stream (ADS).1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion PowerDuke has a command to write random data across a file and delete it.1
enterprise T1105 Ingress Tool Transfer PowerDuke has a command to download a file.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).1
enterprise T1057 Process Discovery PowerDuke has a command to list the victim’s processes.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 PowerDuke uses rundll32.exe to load.1
enterprise T1082 System Information Discovery PowerDuke has commands to get information about the victim’s name, build, version, serial number, and memory usage.1
enterprise T1016 System Network Configuration Discovery PowerDuke has a command to get the victim’s domain and NetBIOS name.1
enterprise T1033 System Owner/User Discovery PowerDuke has commands to get the current user’s name and SID.1
enterprise T1124 System Time Discovery PowerDuke has commands to get the time the machine was built, the time, and the time zone.1

Groups That Use This Software

ID Name References
G0016 APT29 1

References

  1. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.