S0518 PolyglotDuke
PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.1
| Item | Value |
|---|---|
| ID | S0518 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 23 September 2020 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | PolyglotDuke has has used HTTP GET requests in C2 communications.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.1 |
| enterprise | T1105 | Ingress Tool Transfer | PolyglotDuke can retrieve payloads from the C2 server.1 |
| enterprise | T1112 | Modify Registry | PolyglotDuke can write encrypted JSON configuration files to the Registry.1 |
| enterprise | T1106 | Native API | PolyglotDuke can use LoadLibraryW and CreateProcess to load and execute code.1 |
| enterprise | T1027 | Obfuscated Files or Information | PolyglotDuke can custom encrypt strings.1 |
| enterprise | T1027.003 | Steganography | PolyglotDuke can use steganography to hide C2 information in images.1 |
| enterprise | T1027.011 | Fileless Storage | PolyglotDuke can store encrypted JSON configuration files in the Registry.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | PolyglotDuke can be executed using rundll32.exe.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | PolyglotDuke can use Twitter, Reddit, Imgur and other websites to get a C2 URL.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 12 |