Skip to content

S0512 FatDuke

FatDuke is a backdoor used by APT29 since at least 2016.1

Item Value
ID S0512
Associated Names
Version 1.1
Created 24 September 2020
Last Modified 16 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols FatDuke can be controlled via a custom C2 protocol over HTTP.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FatDuke has used HKLM\SOFTWARE\Microsoft\CurrentVersion\Run to establish persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell FatDuke has the ability to execute PowerShell scripts.1
enterprise T1005 Data from Local System FatDuke can copy files and directories from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information FatDuke can decrypt AES encrypted C2 communications.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography FatDuke can AES encrypt C2 communications.1
enterprise T1008 Fallback Channels FatDuke has used several C2 servers per targeted organization.1
enterprise T1083 File and Directory Discovery FatDuke can enumerate directories on target machines.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion FatDuke can secure delete its DLL.1
enterprise T1036 Masquerading FatDuke has attempted to mimic a compromised user’s traffic by using the same user agent as the installed browser.1
enterprise T1106 Native API FatDuke can call ShellExecuteW to open the default browser on the URL localhost.1
enterprise T1027 Obfuscated Files or Information FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation.1
enterprise T1027.001 Binary Padding FatDuke has been packed with junk code and strings.1
enterprise T1027.002 Software Packing FatDuke has been regularly repacked by its operators to create large binaries and evade detection.1
enterprise T1057 Process Discovery FatDuke can list running processes on the localhost.1
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy FatDuke can used pipes to connect machines with restricted internet access to remote machines via other infected hosts.1
enterprise T1012 Query Registry FatDuke can get user agent strings for the default browser from HKCU\Software\Classes\http\shell\open\command.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 FatDuke can execute via rundll32.1
enterprise T1082 System Information Discovery FatDuke can collect the user name, Windows version, computer name, and available space on discs from a compromised host.1
enterprise T1016 System Network Configuration Discovery FatDuke can identify the MAC address on the target computer.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion FatDuke can turn itself on or off at random intervals.1

Groups That Use This Software

ID Name References
G0016 APT29 12