1. Home
  2. Software
  3. Downdelph

Downdelph

Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. [1]

ID: S0134
Associated Software: Delphacy
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 March 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Downdelph bypasses UAC to escalate privileges by using a custom "RedirectEXE" shim database.[1]
Enterprise T1001 .001 Data Obfuscation: Junk Data

Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Downdelph uses RC4 to encrypt C2 responses.[1]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.[1]
Enterprise T1105 Ingress Tool Transfer

After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[1][2]

References

  1. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  1. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.