FatDuke (Malware Family)

FatDuke

Actor(s): APT29

VTCollection

According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.

References

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29

2019-10-17 ⋅ ESET Research ⋅ Mathieu Tartare, Matthieu Faou, Thomas Dupuy
OPERATION GHOST The Dukes aren’t back — they never left
FatDuke

Yara Rules

[TLP:WHITE] win_fatduke_auto (20260504 | Detects win.fatduke.)

rule win_fatduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.fatduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c78540ffffff00000000 c78544ffffff00000000 c78544ffffff0f000000 c78540ffffff00000000 c68530ffffff00 803a00 7504 }
            // n = 7, score = 200
            //   c78540ffffff00000000     | mov    dword ptr [ebp - 0xc0], 0
            //   c78544ffffff00000000     | mov    dword ptr [ebp - 0xbc], 0
            //   c78544ffffff0f000000     | mov    dword ptr [ebp - 0xbc], 0xf
            //   c78540ffffff00000000     | mov    dword ptr [ebp - 0xc0], 0
            //   c68530ffffff00       | mov                 byte ptr [ebp - 0xd0], 0
            //   803a00               | cmp                 byte ptr [edx], 0
            //   7504                 | jne                 6

        $sequence_1 = { c645fc0e 837de010 720b ff75cc e8???????? 83c404 c745e00f000000 }
            // n = 7, score = 200
            //   c645fc0e             | mov                 byte ptr [ebp - 4], 0xe
            //   837de010             | cmp                 dword ptr [ebp - 0x20], 0x10
            //   720b                 | jb                  0xd
            //   ff75cc               | push                dword ptr [ebp - 0x34]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c745e00f000000       | mov                 dword ptr [ebp - 0x20], 0xf

        $sequence_2 = { c7863401000000000000 c6862401000000 c645fc0a 83be2001000010 720e ffb60c010000 e8???????? }
            // n = 7, score = 200
            //   c7863401000000000000     | mov    dword ptr [esi + 0x134], 0
            //   c6862401000000       | mov                 byte ptr [esi + 0x124], 0
            //   c645fc0a             | mov                 byte ptr [ebp - 4], 0xa
            //   83be2001000010       | cmp                 dword ptr [esi + 0x120], 0x10
            //   720e                 | jb                  0x10
            //   ffb60c010000         | push                dword ptr [esi + 0x10c]
            //   e8????????           |                     

        $sequence_3 = { 8d34c1 ff37 8bd6 e8???????? 83c404 ff75ec 51 }
            // n = 7, score = 200
            //   8d34c1               | lea                 esi, [ecx + eax*8]
            //   ff37                 | push                dword ptr [edi]
            //   8bd6                 | mov                 edx, esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   51                   | push                ecx

        $sequence_4 = { ff750c 8bf1 ff7508 c70600000000 c7460400000000 c7460800000000 e8???????? }
            // n = 7, score = 200
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8bf1                 | mov                 esi, ecx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   c7460800000000       | mov                 dword ptr [esi + 8], 0
            //   e8????????           |                     

        $sequence_5 = { e8???????? 83c418 c645fc0a 8b4dd0 8b01 ff5004 33c0 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   c645fc0a             | mov                 byte ptr [ebp - 4], 0xa
            //   8b4dd0               | mov                 ecx, dword ptr [ebp - 0x30]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5004               | call                dword ptr [eax + 4]
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { ff7620 e8???????? 83c404 c746340f000000 c7463000000000 c6462000 c745fcffffffff }
            // n = 7, score = 200
            //   ff7620               | push                dword ptr [esi + 0x20]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c746340f000000       | mov                 dword ptr [esi + 0x34], 0xf
            //   c7463000000000       | mov                 dword ptr [esi + 0x30], 0
            //   c6462000             | mov                 byte ptr [esi + 0x20], 0
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff

        $sequence_7 = { 7505 895110 eb1a 894de8 894de4 c645fc02 c701???????? }
            // n = 7, score = 200
            //   7505                 | jne                 7
            //   895110               | mov                 dword ptr [ecx + 0x10], edx
            //   eb1a                 | jmp                 0x1c
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   c701????????         |                     

        $sequence_8 = { ff7510 c706???????? ff7508 e8???????? c745fcffffffff 8bc6 8b4df4 }
            // n = 7, score = 200
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   c706????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8bc6                 | mov                 eax, esi
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_9 = { e8???????? 5e 84c0 7407 8b4728 83700801 8bcf }
            // n = 7, score = 200
            //   e8????????           |                     
            //   5e                   | pop                 esi
            //   84c0                 | test                al, al
            //   7407                 | je                  9
            //   8b4728               | mov                 eax, dword ptr [edi + 0x28]
            //   83700801             | xor                 dword ptr [eax + 8], 1
            //   8bcf                 | mov                 ecx, edi

    condition:
        7 of them and filesize < 9012224
}

Download all Yara Rules

FatDuke Propose Change

References

Yara Rules

FatDuke