Downdelph
Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. [1]
ID: S0134
Aliases: Downdelph, Delphacy
Type: MALWARE
Platforms: Windows
Version: 1.0
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1088 | Bypass User Account Control | Downdelph bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database.[1] |
Enterprise | T1001 | Data Obfuscation | Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.[1] |
Enterprise | T1038 | DLL Search Order Hijacking | Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.[1] |
Enterprise | T1105 | Remote File Copy | After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[1] |
Enterprise | T1032 | Standard Cryptographic Protocol | Downdelph uses RC4 to encrypt C2 responses.[1] |