SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fatduke (Back to overview)

FatDuke

Actor(s): APT29


According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.

References
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29
2019-10-17ESET ResearchMatthieu Faou, Mathieu Tartare, Thomas Dupuy
@techreport{faou:20191017:operation:b695c9b, author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy}, title = {{OPERATION GHOST The Dukes aren’t back — they never left}}, date = {2019-10-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf}, language = {English}, urldate = {2020-05-18} } OPERATION GHOST The Dukes aren’t back — they never left
FatDuke
Yara Rules
[TLP:WHITE] win_fatduke_auto (20230715 | Detects win.fatduke.)
rule win_fatduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.fatduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7860004000000000000 c686f003000000 c645fc27 83beec03000010 720e ffb6d8030000 e8???????? }
            // n = 7, score = 200
            //   c7860004000000000000     | mov    dword ptr [esi + 0x400], 0
            //   c686f003000000       | mov                 byte ptr [esi + 0x3f0], 0
            //   c645fc27             | mov                 byte ptr [ebp - 4], 0x27
            //   83beec03000010       | cmp                 dword ptr [esi + 0x3ec], 0x10
            //   720e                 | jb                  0x10
            //   ffb6d8030000         | push                dword ptr [esi + 0x3d8]
            //   e8????????           |                     

        $sequence_1 = { c78500ffffff00000000 50 50 8bc8 c78500ffffff07000000 c785fcfeffff00000000 e8???????? }
            // n = 7, score = 200
            //   c78500ffffff00000000     | mov    dword ptr [ebp - 0x100], 0
            //   50                   | push                eax
            //   50                   | push                eax
            //   8bc8                 | mov                 ecx, eax
            //   c78500ffffff07000000     | mov    dword ptr [ebp - 0x100], 7
            //   c785fcfeffff00000000     | mov    dword ptr [ebp - 0x104], 0
            //   e8????????           |                     

        $sequence_2 = { e9???????? 8b4df0 81c134030000 e9???????? 8b4df0 81c14c030000 e9???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   81c134030000         | add                 ecx, 0x334
            //   e9????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   81c14c030000         | add                 ecx, 0x34c
            //   e9????????           |                     

        $sequence_3 = { c7835402000000000000 c6834402000000 c645fc16 83bb4002000010 720e ffb32c020000 e8???????? }
            // n = 7, score = 200
            //   c7835402000000000000     | mov    dword ptr [ebx + 0x254], 0
            //   c6834402000000       | mov                 byte ptr [ebx + 0x244], 0
            //   c645fc16             | mov                 byte ptr [ebp - 4], 0x16
            //   83bb4002000010       | cmp                 dword ptr [ebx + 0x240], 0x10
            //   720e                 | jb                  0x10
            //   ffb32c020000         | push                dword ptr [ebx + 0x22c]
            //   e8????????           |                     

        $sequence_4 = { d905???????? 51 d91c24 6a2c 8bce e8???????? 57 }
            // n = 7, score = 200
            //   d905????????         |                     
            //   51                   | push                ecx
            //   d91c24               | fstp                dword ptr [esp]
            //   6a2c                 | push                0x2c
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   57                   | push                edi

        $sequence_5 = { e8???????? 83c404 33c0 c78530ffffff07000000 c7852cffffff00000000 6689851cffffff c645fc04 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   33c0                 | xor                 eax, eax
            //   c78530ffffff07000000     | mov    dword ptr [ebp - 0xd0], 7
            //   c7852cffffff00000000     | mov    dword ptr [ebp - 0xd4], 0
            //   6689851cffffff       | mov                 word ptr [ebp - 0xe4], ax
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4

        $sequence_6 = { eb9c 83f978 751f a900100000 7418 8bce e8???????? }
            // n = 7, score = 200
            //   eb9c                 | jmp                 0xffffff9e
            //   83f978               | cmp                 ecx, 0x78
            //   751f                 | jne                 0x21
            //   a900100000           | test                eax, 0x1000
            //   7418                 | je                  0x1a
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_7 = { ff750c 8b4d08 e8???????? c745fc00000000 c745e801000000 8b4508 8b4df4 }
            // n = 7, score = 200
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   c745e801000000       | mov                 dword ptr [ebp - 0x18], 1
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_8 = { 8d4dbc e9???????? 8d8d20ffffff e9???????? 8d4dd4 e9???????? 8d4db0 }
            // n = 7, score = 200
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   e9????????           |                     
            //   8d8d20ffffff         | lea                 ecx, [ebp - 0xe0]
            //   e9????????           |                     
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e9????????           |                     
            //   8d4db0               | lea                 ecx, [ebp - 0x50]

        $sequence_9 = { c645fc0a 837da410 720b ff7590 e8???????? 83c404 8b7dac }
            // n = 7, score = 200
            //   c645fc0a             | mov                 byte ptr [ebp - 4], 0xa
            //   837da410             | cmp                 dword ptr [ebp - 0x5c], 0x10
            //   720b                 | jb                  0xd
            //   ff7590               | push                dword ptr [ebp - 0x70]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b7dac               | mov                 edi, dword ptr [ebp - 0x54]

    condition:
        7 of them and filesize < 9012224
}
Download all Yara Rules