SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fatduke (Back to overview)

FatDuke

Actor(s): APT 29


According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.

References
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT 29
2019-10-17ESET ResearchMatthieu Faou, Mathieu Tartare, Thomas Dupuy
@techreport{faou:20191017:operation:b695c9b, author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy}, title = {{OPERATION GHOST The Dukes aren’t back — they never left}}, date = {2019-10-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf}, language = {English}, urldate = {2020-05-18} } OPERATION GHOST The Dukes aren’t back — they never left
FatDuke
Yara Rules
[TLP:WHITE] win_fatduke_auto (20211008 | Detects win.fatduke.)
rule win_fatduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.fatduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 8b8de4fcffff 81c140010000 e9???????? 8b8de4fcffff 81c158010000 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b8de4fcffff         | mov                 ecx, dword ptr [ebp - 0x31c]
            //   81c140010000         | add                 ecx, 0x140
            //   e9????????           |                     
            //   8b8de4fcffff         | mov                 ecx, dword ptr [ebp - 0x31c]
            //   81c158010000         | add                 ecx, 0x158
            //   e9????????           |                     

        $sequence_1 = { c787dc00000000000000 c687cc00000000 c645fc07 83bfc800000010 720e ffb7b4000000 e8???????? }
            // n = 7, score = 100
            //   c787dc00000000000000     | mov    dword ptr [edi + 0xdc], 0
            //   c687cc00000000       | mov                 byte ptr [edi + 0xcc], 0
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7
            //   83bfc800000010       | cmp                 dword ptr [edi + 0xc8], 0x10
            //   720e                 | jb                  0x10
            //   ffb7b4000000         | push                dword ptr [edi + 0xb4]
            //   e8????????           |                     

        $sequence_2 = { f6e9 884599 a1???????? 8b0d???????? b174 f6e9 88459a }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   884599               | mov                 byte ptr [ebp - 0x67], al
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   b174                 | mov                 cl, 0x74
            //   f6e9                 | imul                cl
            //   88459a               | mov                 byte ptr [ebp - 0x66], al

        $sequence_3 = { e9???????? 8b8de0f7ffff e9???????? 8d8d28f6ffff e9???????? 8d8d5cf5ffff e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b8de0f7ffff         | mov                 ecx, dword ptr [ebp - 0x820]
            //   e9????????           |                     
            //   8d8d28f6ffff         | lea                 ecx, dword ptr [ebp - 0x9d8]
            //   e9????????           |                     
            //   8d8d5cf5ffff         | lea                 ecx, dword ptr [ebp - 0xaa4]
            //   e9????????           |                     

        $sequence_4 = { f6ea 888565e3ffff 8b0d???????? a1???????? 8ac1 b10d f6e9 }
            // n = 7, score = 100
            //   f6ea                 | imul                dl
            //   888565e3ffff         | mov                 byte ptr [ebp - 0x1c9b], al
            //   8b0d????????         |                     
            //   a1????????           |                     
            //   8ac1                 | mov                 al, cl
            //   b10d                 | mov                 cl, 0xd
            //   f6e9                 | imul                cl

        $sequence_5 = { e8???????? c645fc08 55 bd5048771d bd07416e05 21dd bd9311d018 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c645fc08             | mov                 byte ptr [ebp - 4], 8
            //   55                   | push                ebp
            //   bd5048771d           | mov                 ebp, 0x1d774850
            //   bd07416e05           | mov                 ebp, 0x56e4107
            //   21dd                 | and                 ebp, ebx
            //   bd9311d018           | mov                 ebp, 0x18d01193

        $sequence_6 = { f6e9 8b0d???????? 888580fbffff a1???????? 8ac1 b164 f6e9 }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8b0d????????         |                     
            //   888580fbffff         | mov                 byte ptr [ebp - 0x480], al
            //   a1????????           |                     
            //   8ac1                 | mov                 al, cl
            //   b164                 | mov                 cl, 0x64
            //   f6e9                 | imul                cl

        $sequence_7 = { f6e9 888558f8ffff a1???????? 8b0d???????? b165 f6e9 888559f8ffff }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   888558f8ffff         | mov                 byte ptr [ebp - 0x7a8], al
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   b165                 | mov                 cl, 0x65
            //   f6e9                 | imul                cl
            //   888559f8ffff         | mov                 byte ptr [ebp - 0x7a7], al

        $sequence_8 = { ff30 8d8528f7ffff 50 8bce e8???????? 83bd3cf7ffff10 720e }
            // n = 7, score = 100
            //   ff30                 | push                dword ptr [eax]
            //   8d8528f7ffff         | lea                 eax, dword ptr [ebp - 0x8d8]
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   83bd3cf7ffff10       | cmp                 dword ptr [ebp - 0x8c4], 0x10
            //   720e                 | jb                  0x10

        $sequence_9 = { e9???????? 8b8ddcfaffff 81c1e8000000 e9???????? 8b8ddcfaffff 81c100010000 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b8ddcfaffff         | mov                 ecx, dword ptr [ebp - 0x524]
            //   81c1e8000000         | add                 ecx, 0xe8
            //   e9????????           |                     
            //   8b8ddcfaffff         | mov                 ecx, dword ptr [ebp - 0x524]
            //   81c100010000         | add                 ecx, 0x100
            //   e9????????           |                     

    condition:
        7 of them and filesize < 9012224
}
Download all Yara Rules