Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

GeminiDuke

GeminiDuke is malware that was used by APT29 from 2009 to 2012. [1]

ID: S0049
Aliases: GeminiDuke
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryGeminiDuke collects information on local user accounts from the victim.[1]
EnterpriseT1083File and Directory DiscoveryGeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.[1]
EnterpriseT1057Process DiscoveryGeminiDuke collects information on running processes and environment variables from the victim.[1]
EnterpriseT1071Standard Application Layer ProtocolGeminiDuke uses HTTP and HTTPS for command and control.[1]
EnterpriseT1016System Network Configuration DiscoveryGeminiDuke collects information on network settings and Internet proxy settings from the victim.[1]
EnterpriseT1007System Service DiscoveryGeminiDuke collects information on programs and services on the victim that are configured to automatically run at startup.[1]

Groups

Groups that use this software:

APT29

References