SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fatduke (Back to overview)

FatDuke

Actor(s): APT 29


According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.

References
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT 29
2019-10-17ESET ResearchMatthieu Faou, Mathieu Tartare, Thomas Dupuy
@techreport{faou:20191017:operation:b695c9b, author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy}, title = {{OPERATION GHOST The Dukes aren’t back — they never left}}, date = {2019-10-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf}, language = {English}, urldate = {2020-05-18} } OPERATION GHOST The Dukes aren’t back — they never left
FatDuke
Yara Rules
[TLP:WHITE] win_fatduke_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_fatduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 8d8424e4070000 50 8d8c24b00a0000 e8???????? c68424400f00006a 8bc8 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8d8424e4070000       | lea                 eax, [esp + 0x7e4]
            //   50                   | push                eax
            //   8d8c24b00a0000       | lea                 ecx, [esp + 0xab0]
            //   e8????????           |                     
            //   c68424400f00006a     | mov                 byte ptr [esp + 0xf40], 0x6a
            //   8bc8                 | mov                 ecx, eax

        $sequence_1 = { f6e9 88856ffbffff a1???????? 8b0d???????? b16e f6e9 888570fbffff }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   88856ffbffff         | mov                 byte ptr [ebp - 0x491], al
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   b16e                 | mov                 cl, 0x6e
            //   f6e9                 | imul                cl
            //   888570fbffff         | mov                 byte ptr [ebp - 0x490], al

        $sequence_2 = { e8???????? eb07 40 50 e8???????? 03c7 894630 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb07                 | jmp                 9
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   e8????????           |                     
            //   03c7                 | add                 eax, edi
            //   894630               | mov                 dword ptr [esi + 0x30], eax

        $sequence_3 = { e9???????? 8d8d00feffff e9???????? 8d8d24feffff e9???????? 8b542408 8d420c }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8d8d00feffff         | lea                 ecx, [ebp - 0x200]
            //   e9????????           |                     
            //   8d8d24feffff         | lea                 ecx, [ebp - 0x1dc]
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d420c               | lea                 eax, [edx + 0xc]

        $sequence_4 = { e8???????? c645fc0a 8d8d20ffffff e8???????? c645fc05 8d8d50ffffff e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c645fc0a             | mov                 byte ptr [ebp - 4], 0xa
            //   8d8d20ffffff         | lea                 ecx, [ebp - 0xe0]
            //   e8????????           |                     
            //   c645fc05             | mov                 byte ptr [ebp - 4], 5
            //   8d8d50ffffff         | lea                 ecx, [ebp - 0xb0]
            //   e8????????           |                     

        $sequence_5 = { e8???????? c645fc12 8d8ed0010000 6a4d c741140f000000 c7411000000000 68???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c645fc12             | mov                 byte ptr [ebp - 4], 0x12
            //   8d8ed0010000         | lea                 ecx, [esi + 0x1d0]
            //   6a4d                 | push                0x4d
            //   c741140f000000       | mov                 dword ptr [ecx + 0x14], 0xf
            //   c7411000000000       | mov                 dword ptr [ecx + 0x10], 0
            //   68????????           |                     

        $sequence_6 = { f6e9 888424b6000000 a1???????? 8b0d???????? b174 f6e9 888424b7000000 }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   888424b6000000       | mov                 byte ptr [esp + 0xb6], al
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   b174                 | mov                 cl, 0x74
            //   f6e9                 | imul                cl
            //   888424b7000000       | mov                 byte ptr [esp + 0xb7], al

        $sequence_7 = { f6e9 8b0d???????? 88442465 a1???????? 8ac1 b16e f6e9 }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8b0d????????         |                     
            //   88442465             | mov                 byte ptr [esp + 0x65], al
            //   a1????????           |                     
            //   8ac1                 | mov                 al, cl
            //   b16e                 | mov                 cl, 0x6e
            //   f6e9                 | imul                cl

        $sequence_8 = { f6e9 8885affdffff a1???????? 8b0d???????? b165 f6e9 8885b0fdffff }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8885affdffff         | mov                 byte ptr [ebp - 0x251], al
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   b165                 | mov                 cl, 0x65
            //   f6e9                 | imul                cl
            //   8885b0fdffff         | mov                 byte ptr [ebp - 0x250], al

        $sequence_9 = { f6e9 8b0d???????? 8885d1f9ffff a1???????? 8ac1 b16e f6e9 }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8b0d????????         |                     
            //   8885d1f9ffff         | mov                 byte ptr [ebp - 0x62f], al
            //   a1????????           |                     
            //   8ac1                 | mov                 al, cl
            //   b16e                 | mov                 cl, 0x6e
            //   f6e9                 | imul                cl

    condition:
        7 of them and filesize < 9012224
}
Download all Yara Rules