Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. MiniDuke

MiniDuke

MiniDuke is malware that was used byAPT29 from 2010 to 2015. TheMiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with otherMiniDuke components as well as in conjunction withCosmicDuke andPinchDuke.[1]

ID: S0051
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 25 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1071.001Application Layer Protocol:Web Protocols

MiniDuke uses HTTP and HTTPS for command and control.[1][2]

EnterpriseT1568.002Dynamic Resolution:Domain Generation Algorithms

MiniDuke can use DGA to generate new Twitter URLs for C2.[2]

EnterpriseT1008Fallback Channels

MiniDuke uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working.[3]

EnterpriseT1083File and Directory Discovery

MiniDuke can enumerate local drives.[2]

EnterpriseT1105Ingress Tool Transfer

MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[3][2]

EnterpriseT1027Obfuscated Files or Information

MiniDuke can use control flow flattening to obscure code.[2]

EnterpriseT1090.001Proxy:Internal Proxy

MiniDuke can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines.[2]

EnterpriseT1082System Information Discovery

MiniDuke can gather the hostname on a compromised machine.[2]

EnterpriseT1102.001Web Service:Dead Drop Resolver

SomeMiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.[1][3][2]

Groups That Use This Software

IDNameReferences
G0016APT29

[1][2][4]

Campaigns

IDNameDescription
C0023Operation Ghost

ForOperation Ghost,APT29 usedMiniDuke as a second-stage backdoor.[2]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp