PowerDuke

PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. [1]

ID: S0139
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1010 Application Window Discovery

PowerDuke has a command to get text of the current foreground window.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

PowerDuke achieves persistence by using various Registry Run keys.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

PowerDuke runs cmd.exe /c and sends the output to its C2.[1]

Enterprise T1485 Data Destruction

PowerDuke has a command to write random data across a file and delete it.[1]

Enterprise T1083 File and Directory Discovery

PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.[1]

Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

PowerDuke hides many of its backdoor payloads in an alternate data stream (ADS).[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

PowerDuke has a command to write random data across a file and delete it.[1]

Enterprise T1105 Ingress Tool Transfer

PowerDuke has a command to download a file.[1]

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).[1]

Enterprise T1057 Process Discovery

PowerDuke has a command to list the victim's processes.[1]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

PowerDuke uses rundll32.exe to load.[1]

Enterprise T1082 System Information Discovery

PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.[1]

Enterprise T1016 System Network Configuration Discovery

PowerDuke has a command to get the victim's domain and NetBIOS name.[1]

Enterprise T1033 System Owner/User Discovery

PowerDuke has commands to get the current user's name and SID.[1]

Enterprise T1124 System Time Discovery

PowerDuke has commands to get the time the machine was built, the time, and the time zone.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1]

References