RegDuke

RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.^[1]

ID: S0511

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 23 September 2020

Last Modified: 24 March 2023

Techniques Used

Domain	ID		Name	Use
Enterprise	T1546	.003	事件触发执行: Windows Management Instrumentation Event Subscription	RegDuke can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.^[1]
Enterprise	T1112		修改注册表	RegDuke can create seemingly legitimate Registry key to store its encryption key.^[1]
Enterprise	T1140		反混淆/解码文件或信息	RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.^[1]
Enterprise	T1059	.001	命令与脚本解释器: PowerShell	RegDuke can extract and execute PowerShell scripts from C2 communications.^[1]
Enterprise	T1027		混淆文件或信息	RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.^[1]
		.003	Steganography	RegDuke can hide data in images, including use of the Least Significant Bit (LSB).^[1]
		.011	Fileless Storage	RegDuke can store its encryption key in the Registry.^[1]
Enterprise	T1102	.002	网络服务: Bidirectional Communication	RegDuke can use Dropbox as its C2 server.^[1]
Enterprise	T1105		输入工具传输	RegDuke can download files from C2.^[1]

Groups That Use This Software

ID	Name	References
G0016	APT29	^[1]^[2]

Campaigns

ID	Name	Description
C0023	Operation Ghost	For Operation Ghost, APT29 used RegDuke as a first-stage implant.^[1]

References

Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.

RegDuke

Enterprise Layer

Techniques Used

Groups That Use This Software

Campaigns

References