1. Home
  2. Software
  3. OnionDuke

OnionDuke

OnionDuke is malware that was used by APT29 from 2013 to 2015. [1]

ID: S0052
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 23 September 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OnionDuke uses HTTP and HTTPS for C2.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

OnionDuke can use a custom decryption algorithm to decrypt strings.[2]
Enterprise T1499 Endpoint Denial of Service

OnionDuke has the capability to use a Denial of Service module.[2]
Enterprise T1003 OS Credential Dumping

OnionDuke steals credentials from its victims.[1]
Enterprise T1102 .003 Web Service: One-Way Communication

OnionDuke uses Twitter as a backup C2.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3]

References

  1. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  2. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  1. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.