RegDuke

RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.[1]

ID: S0511
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 23 September 2020
Last Modified: 24 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

RegDuke can extract and execute PowerShell scripts from C2 communications.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.[1]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

RegDuke can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.[1]

Enterprise T1105 Ingress Tool Transfer

RegDuke can download files from C2.[1]

Enterprise T1112 Modify Registry

RegDuke can create seemingly legitimate Registry key to store its encryption key.[1]

Enterprise T1027 Obfuscated Files or Information

RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.[1]

.003 Steganography

RegDuke can hide data in images, including use of the Least Significant Bit (LSB).[1]

.011 Fileless Storage

RegDuke can store its encryption key in the Registry.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

RegDuke can use Dropbox as its C2 server.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2]

Campaigns

ID Name Description
C0023 Operation Ghost

For Operation Ghost, APT29 used RegDuke as a first-stage implant.[1]

References