Skip to content

S0513 LiteDuke

LiteDuke is a third stage backdoor that was used by APT29, primarily in 2014-2015. LiteDuke used the same dropper as PolyglotDuke, and was found on machines also compromised by MiniDuke.1

Item Value
ID S0513
Associated Names
Version 1.0
Created 24 September 2020
Last Modified 04 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols LiteDuke can use HTTP GET requests in C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder LiteDuke can create persistence by adding a shortcut in the CurrentVersion\Run Registry key.1
enterprise T1140 Deobfuscate/Decode Files or Information LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion LiteDuke can securely delete files by first writing random data to the file.1
enterprise T1105 Ingress Tool Transfer LiteDuke has the ability to download files.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing LiteDuke has been packed with multiple layers of encryption.1
enterprise T1027.003 Steganography LiteDuke has used image files to hide its loader component.1
enterprise T1012 Query Registry LiteDuke can query the Registry to check for the presence of HKCU\Software\KasperskyLab.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery LiteDuke has the ability to check for the presence of Kaspersky security software.1
enterprise T1082 System Information Discovery LiteDuke can enumerate the CPUID and BIOS version on a compromised system.1
enterprise T1016 System Network Configuration Discovery LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera.1
enterprise T1033 System Owner/User Discovery LiteDuke can enumerate the account name on a targeted system.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion LiteDuke can wait 30 seconds before executing additional code if security software is detected.1

Groups That Use This Software

ID Name References
G0016 APT29 12