PolyglotDuke

PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.[1]

ID: S0518
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 23 September 2020
Last Modified: 26 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

PolyglotDuke has has used HTTP GET requests in C2 communications.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.[1]

Enterprise T1105 Ingress Tool Transfer

PolyglotDuke can retrieve payloads from the C2 server.[1]

Enterprise T1112 Modify Registry

PolyglotDuke can write encrypted JSON configuration files to the Registry.[1]

Enterprise T1106 Native API

PolyglotDuke can use LoadLibraryW and CreateProcess to load and execute code.[1]

Enterprise T1027 Obfuscated Files or Information

PolyglotDuke can custom encrypt strings.[1]

.003 Steganography

PolyglotDuke can use steganography to hide C2 information in images.[1]

.011 Fileless Storage

PolyglotDuke can store encrypted JSON configuration files in the Registry.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

PolyglotDuke can be executed using rundll32.exe.[1]

Enterprise T1102 .001 Web Service: Dead Drop Resolver

PolyglotDuke can use Twitter, Reddit, Imgur and other websites to get a C2 URL.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2]

Campaigns

ID Name Description
C0023 Operation Ghost

For Operation Ghost, APT29 used PolyglotDuke as a first-stage downloader.[1]

References