1. Home
  2. Software
  3. OnionDuke

OnionDuke

OnionDuke is malware that was used by APT29 from 2013 to 2015. [1]

ID: S0052
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 23 September 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 反混淆/解码文件或信息

OnionDuke can use a custom decryption algorithm to decrypt strings.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

OnionDuke uses HTTP and HTTPS for C2.[1]
Enterprise T1003 操作系统凭证转储

OnionDuke steals credentials from its victims.[1]
Enterprise T1499 终端拒绝服务

OnionDuke has the capability to use a Denial of Service module.[2]
Enterprise T1102 .003 网络服务: One-Way Communication

OnionDuke uses Twitter as a backup C2.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3]

References

  1. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  2. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  1. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.