PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
PolyglotDuke has has used HTTP GET requests in C2 communications.[1] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.[1] |
|
Enterprise | T1105 | Ingress Tool Transfer |
PolyglotDuke can retrieve payloads from the C2 server.[1] |
|
Enterprise | T1112 | Modify Registry |
PolyglotDuke can write encrypted JSON configuration files to the Registry.[1] |
|
Enterprise | T1106 | Native API |
PolyglotDuke can use |
|
Enterprise | T1027 | Obfuscated Files or Information |
PolyglotDuke can custom encrypt strings.[1] |
|
.003 | Steganography |
PolyglotDuke can use steganography to hide C2 information in images.[1] |
||
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
PolyglotDuke can be executed using rundll32.exe.[1] |
Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
PolyglotDuke can use Twitter, Reddit, Imgur and other websites to get a C2 URL.[1] |
ID | Name | References |
---|---|---|
G0016 | APT29 |