S0511 RegDuke
RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.1
| Item | Value |
|---|---|
| ID | S0511 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 23 September 2020 |
| Last Modified | 24 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | RegDuke can extract and execute PowerShell scripts from C2 communications.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.003 | Windows Management Instrumentation Event Subscription | RegDuke can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.1 |
| enterprise | T1105 | Ingress Tool Transfer | RegDuke can download files from C2.1 |
| enterprise | T1112 | Modify Registry | RegDuke can create seemingly legitimate Registry key to store its encryption key.1 |
| enterprise | T1027 | Obfuscated Files or Information | RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.1 |
| enterprise | T1027.003 | Steganography | RegDuke can hide data in images, including use of the Least Significant Bit (LSB).1 |
| enterprise | T1027.011 | Fileless Storage | RegDuke can store its encryption key in the Registry.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | RegDuke can use Dropbox as its C2 server.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 12 |