FatDuke
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
FatDuke can be controlled via a custom C2 protocol over HTTP.(Citation: ESET Dukes October 2019) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
FatDuke has used |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
FatDuke has the ability to execute PowerShell scripts.(Citation: ESET Dukes October 2019) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
FatDuke can AES encrypt C2 communications.(Citation: ESET Dukes October 2019) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
FatDuke can secure delete its DLL.(Citation: ESET Dukes October 2019) |
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
FatDuke has been packed with junk code and strings.(Citation: ESET Dukes October 2019) |
| .002 | Obfuscated Files or Information: Software Packing |
FatDuke has been regularly repacked by its operators to create large binaries and evade detection.(Citation: ESET Dukes October 2019) |
||
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
FatDuke can used pipes to connect machines with restricted internet access to remote machines via other infected hosts.(Citation: ESET Dukes October 2019) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
FatDuke can execute via rundll32.(Citation: ESET Dukes October 2019) |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
FatDuke can turn itself on or off at random intervals.(Citation: ESET Dukes October 2019) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.