PowerDuke
PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. [1]
ID: S0139
Aliases: PowerDuke
Type: MALWARE
Platforms: Windows
Version: 1.0
Alias Descriptions
Name | Description |
---|---|
PowerDuke | [1] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1010 | Application Window Discovery | PowerDuke has a command to get text of the current foreground window.[1] |
Enterprise | T1059 | Command-Line Interface | PowerDuke runs cmd.exe /c and sends the output to its C2.[1] |
Enterprise | T1043 | Commonly Used Port | PowerDuke connects over 443 for C2.[1] |
Enterprise | T1083 | File and Directory Discovery | PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.[1] |
Enterprise | T1107 | File Deletion | PowerDuke has a command to write random data across a file and delete it.[1] |
Enterprise | T1096 | NTFS File Attributes | PowerDuke hides many of its backdoor payloads in an alternate data stream (ADS).[1] |
Enterprise | T1027 | Obfuscated Files or Information | PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).[1] |
Enterprise | T1057 | Process Discovery | PowerDuke has a command to list the victim's processes.[1] |
Enterprise | T1060 | Registry Run Keys / Startup Folder | PowerDuke achieves persistence by using various Registry Run keys.[1] |
Enterprise | T1105 | Remote File Copy | PowerDuke has a command to download a file.[1] |
Enterprise | T1085 | Rundll32 | PowerDuke uses rundll32.exe to load.[1] |
Enterprise | T1082 | System Information Discovery | PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.[1] |
Enterprise | T1016 | System Network Configuration Discovery | PowerDuke has a command to get the victim's domain and NetBIOS name.[1] |
Enterprise | T1033 | System Owner/User Discovery | PowerDuke has commands to get the current user's name and SID.[1] |
Enterprise | T1124 | System Time Discovery | PowerDuke has commands to get the time the machine was built, the time, and the time zone.[1] |
Groups
Groups that use this software:
APT29