MiniDuke
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
MiniDuke uses HTTP and HTTPS for command and control.(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019) |
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
MiniDuke can use DGA to generate new Twitter URLs for C2.(Citation: ESET Dukes October 2019) |
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
MiniDuke can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines.(Citation: ESET Dukes October 2019) |
| Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.(Citation: F-Secure The Dukes)(Citation: Securelist MiniDuke Feb 2013)(Citation: ESET Dukes October 2019) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0016 | APT29 |
(Citation: F-Secure The Dukes) (Citation: ESET Dukes October 2019) (Citation: Secureworks IRON HEMLOCK Profile) |
References
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
- Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.