(ESET) FatDuke, the third stage. This sophisticated backdoor implements a lot of functionalities and has a very flexible configuration. Its code is also well obfuscated using manu opaque predicates. They re-comple it and modify the obfuscation frequently to bypass security product detections.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2020 by SecureWorks from Secureworks
2019-10-17 by Matthieu Faou from ESET Research
Tool: FatDuke
Names: FatDuke
Description: (ESET) FatDuke, the third stage. This sophisticated backdoor implements a lot of functionalities and has a very flexible configuration. Its code is also well obfuscated using manu opaque predicates. They re-comple it and modify the obfuscation frequently to bypass security product detections.
Category: Malware
Type: Backdoor
Information: https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/
Information: https://www.secureworks.com/research/threat-profiles/iron-hemlock
Mitre-attack: https://attack.mitre.org/software/S0512/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL fatduke has the ability to execute powershell scripts. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER fatduke has used hklm\software\microsoft\currentversion\run to establish persistence. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER fatduke has used hklm\software\microsoft\currentversion\run to establish persistence. | T1036 MASQUERADING fatduke has attempted to mimic a compromised user's traffic by using the same user agent as the installed browser. T1027 OBFUSCATED FILES OR INFORMATION fatduke can use base64 encoding, string stacking, and opaque predicates for obfuscation. T1027.001 OBFUSCATED FILES OR INFORMATION : BINARY PADDING fatduke has been packed with junk code and strings. T1027.002 OBFUSCATED FILES OR INFORMATION : SOFTWARE PACKING fatduke has been regularly repacked by its operators to create large binaries and evade detection. T1497.003 VIRTUALIZATION/SANDBOX EVASION : TIME BASED EVASION fatduke can turn itself on or off at random intervals. | T1012 QUERY REGISTRY fatduke can get user agent strings for the default browser from hkcu\software\classes\http\shell\open\command. T1082 SYSTEM INFORMATION DISCOVERY fatduke can collect the user name, windows version, computer name, and available space on discs from a compromised host. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY fatduke can identify the mac address on the target computer. T1497.003 VIRTUALIZATION/SANDBOX EVASION : TIME BASED EVASION fatduke can turn itself on or off at random intervals. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS fatduke can be controlled via a custom c2 protocol over http. T1090.001 PROXY : INTERNAL PROXY fatduke can used pipes to connect machines with restricted internet access to remote machines via other infected hosts. |