S0513 LiteDuke
LiteDuke is a third stage backdoor that was used by APT29, primarily in 2014-2015. LiteDuke used the same dropper as PolyglotDuke, and was found on machines also compromised by MiniDuke.1
| Item | Value |
|---|---|
| ID | S0513 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 24 September 2020 |
| Last Modified | 04 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | LiteDuke can use HTTP GET requests in C2 communications.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | LiteDuke can create persistence by adding a shortcut in the CurrentVersion\Run Registry key.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | LiteDuke can securely delete files by first writing random data to the file.1 |
| enterprise | T1105 | Ingress Tool Transfer | LiteDuke has the ability to download files.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | LiteDuke has been packed with multiple layers of encryption.1 |
| enterprise | T1027.003 | Steganography | LiteDuke has used image files to hide its loader component.1 |
| enterprise | T1012 | Query Registry | LiteDuke can query the Registry to check for the presence of HKCU\Software\KasperskyLab.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | LiteDuke has the ability to check for the presence of Kaspersky security software.1 |
| enterprise | T1082 | System Information Discovery | LiteDuke can enumerate the CPUID and BIOS version on a compromised system.1 |
| enterprise | T1016 | System Network Configuration Discovery | LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera.1 |
| enterprise | T1033 | System Owner/User Discovery | LiteDuke can enumerate the account name on a targeted system.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | LiteDuke can wait 30 seconds before executing additional code if security software is detected.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 12 |