Downdelph

Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. [1]

ID: S0134
Aliases: Downdelph, Delphacy
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1088Bypass User Account ControlDowndelph bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database.[1]
EnterpriseT1001Data ObfuscationDowndelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.[1]
EnterpriseT1038DLL Search Order HijackingDowndelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.[1]
EnterpriseT1105Remote File CopyAfter downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[1]
EnterpriseT1032Standard Cryptographic ProtocolDowndelph uses RC4 to encrypt C2 responses.[1]

References