| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
FatDuke can be controlled via a custom C2 protocol over HTTP. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
FatDuke has used HKLM\SOFTWARE\Microsoft\CurrentVersion\Run to establish persistence. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
FatDuke has the ability to execute PowerShell scripts. |
| enterprise |
T1005 |
Data from Local System |
FatDuke can copy files and directories from a compromised host. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
FatDuke can decrypt AES encrypted C2 communications. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
FatDuke can AES encrypt C2 communications. |
| enterprise |
T1008 |
Fallback Channels |
FatDuke has used several C2 servers per targeted organization. |
| enterprise |
T1083 |
File and Directory Discovery |
FatDuke can enumerate directories on target machines. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
FatDuke can secure delete its DLL. |
| enterprise |
T1036 |
Masquerading |
FatDuke has attempted to mimic a compromised user’s traffic by using the same user agent as the installed browser. |
| enterprise |
T1106 |
Native API |
FatDuke can call ShellExecuteW to open the default browser on the URL localhost. |
| enterprise |
T1027 |
Obfuscated Files or Information |
FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation. |
| enterprise |
T1027.001 |
Binary Padding |
FatDuke has been packed with junk code and strings. |
| enterprise |
T1027.002 |
Software Packing |
FatDuke has been regularly repacked by its operators to create large binaries and evade detection. |
| enterprise |
T1057 |
Process Discovery |
FatDuke can list running processes on the localhost. |
| enterprise |
T1090 |
Proxy |
- |
| enterprise |
T1090.001 |
Internal Proxy |
FatDuke can used pipes to connect machines with restricted internet access to remote machines via other infected hosts. |
| enterprise |
T1012 |
Query Registry |
FatDuke can get user agent strings for the default browser from HKCU\Software\Classes\http\shell\open\command. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.011 |
Rundll32 |
FatDuke can execute via rundll32. |
| enterprise |
T1082 |
System Information Discovery |
FatDuke can collect the user name, Windows version, computer name, and available space on discs from a compromised host. |
| enterprise |
T1016 |
System Network Configuration Discovery |
FatDuke can identify the MAC address on the target computer. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.003 |
Time Based Evasion |
FatDuke can turn itself on or off at random intervals. |