PowerDuke

PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. [1]

ID: S0139
Aliases: PowerDuke
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
PowerDuke[1]

Techniques Used

DomainIDNameUse
EnterpriseT1010Application Window DiscoveryPowerDuke has a command to get text of the current foreground window.[1]
EnterpriseT1059Command-Line InterfacePowerDuke runs cmd.exe /c and sends the output to its C2.[1]
EnterpriseT1043Commonly Used PortPowerDuke connects over 443 for C2.[1]
EnterpriseT1083File and Directory DiscoveryPowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.[1]
EnterpriseT1107File DeletionPowerDuke has a command to write random data across a file and delete it.[1]
EnterpriseT1096NTFS File AttributesPowerDuke hides many of its backdoor payloads in an alternate data stream (ADS).[1]
EnterpriseT1027Obfuscated Files or InformationPowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).[1]
EnterpriseT1057Process DiscoveryPowerDuke has a command to list the victim's processes.[1]
EnterpriseT1060Registry Run Keys / Startup FolderPowerDuke achieves persistence by using various Registry Run keys.[1]
EnterpriseT1105Remote File CopyPowerDuke has a command to download a file.[1]
EnterpriseT1085Rundll32PowerDuke uses rundll32.exe to load.[1]
EnterpriseT1082System Information DiscoveryPowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.[1]
EnterpriseT1016System Network Configuration DiscoveryPowerDuke has a command to get the victim's domain and NetBIOS name.[1]
EnterpriseT1033System Owner/User DiscoveryPowerDuke has commands to get the current user's name and SID.[1]
EnterpriseT1124System Time DiscoveryPowerDuke has commands to get the time the machine was built, the time, and the time zone.[1]

Groups

Groups that use this software:

APT29

References