Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. [1]

ID: S0134
Associated Software: Delphacy
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Downdelph bypasses UAC to escalate privileges by using a custom "RedirectEXE" shim database.[1]

Enterprise T1001 .001 Data Obfuscation: Junk Data

Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Downdelph uses RC4 to encrypt C2 responses.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.[1]

Enterprise T1105 Ingress Tool Transfer

After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[1]

Groups That Use This Software

ID Name References
G0007 APT28