SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fatduke (Back to overview)

FatDuke

Actor(s): APT29


According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.

References
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT29
2019-10-17ESET ResearchMatthieu Faou, Mathieu Tartare, Thomas Dupuy
@techreport{faou:20191017:operation:b695c9b, author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy}, title = {{OPERATION GHOST The Dukes aren’t back — they never left}}, date = {2019-10-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf}, language = {English}, urldate = {2020-05-18} } OPERATION GHOST The Dukes aren’t back — they never left
FatDuke
Yara Rules
[TLP:WHITE] win_fatduke_auto (20221125 | Detects win.fatduke.)
rule win_fatduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.fatduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? c645fc18 8d8e58020000 6a0e c741140f000000 c7411000000000 68???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c645fc18             | mov                 byte ptr [ebp - 4], 0x18
            //   8d8e58020000         | lea                 ecx, [esi + 0x258]
            //   6a0e                 | push                0xe
            //   c741140f000000       | mov                 dword ptr [ecx + 0x14], 0xf
            //   c7411000000000       | mov                 dword ptr [ecx + 0x10], 0
            //   68????????           |                     

        $sequence_1 = { ff7584 e8???????? 83c404 c745980f000000 c7459400000000 c6458400 56 }
            // n = 7, score = 100
            //   ff7584               | push                dword ptr [ebp - 0x7c]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c745980f000000       | mov                 dword ptr [ebp - 0x68], 0xf
            //   c7459400000000       | mov                 dword ptr [ebp - 0x6c], 0
            //   c6458400             | mov                 byte ptr [ebp - 0x7c], 0
            //   56                   | push                esi

        $sequence_2 = { e8???????? c68424801b00001f 83bc246c0a000008 720f ffb424580a0000 e8???????? 83c404 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c68424801b00001f     | mov                 byte ptr [esp + 0x1b80], 0x1f
            //   83bc246c0a000008     | cmp                 dword ptr [esp + 0xa6c], 8
            //   720f                 | jb                  0x11
            //   ffb424580a0000       | push                dword ptr [esp + 0xa58]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_3 = { f6e9 8b0d???????? 88857cffffff a1???????? 8ac1 b174 f6e9 }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8b0d????????         |                     
            //   88857cffffff         | mov                 byte ptr [ebp - 0x84], al
            //   a1????????           |                     
            //   8ac1                 | mov                 al, cl
            //   b174                 | mov                 cl, 0x74
            //   f6e9                 | imul                cl

        $sequence_4 = { ff30 ffb734030000 e8???????? 5f 5e 5b 8be5 }
            // n = 7, score = 100
            //   ff30                 | push                dword ptr [eax]
            //   ffb734030000         | push                dword ptr [edi + 0x334]
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_5 = { f6e9 888544fbffff a1???????? 8b0d???????? b173 f6e9 888545fbffff }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   888544fbffff         | mov                 byte ptr [ebp - 0x4bc], al
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   b173                 | mov                 cl, 0x73
            //   f6e9                 | imul                cl
            //   888545fbffff         | mov                 byte ptr [ebp - 0x4bb], al

        $sequence_6 = { f6e9 8b0d???????? 88442445 a1???????? 8ac1 c0e005 02c1 }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8b0d????????         |                     
            //   88442445             | mov                 byte ptr [esp + 0x45], al
            //   a1????????           |                     
            //   8ac1                 | mov                 al, cl
            //   c0e005               | shl                 al, 5
            //   02c1                 | add                 al, cl

        $sequence_7 = { f6e9 8b0d???????? 888571ffffff a1???????? c0e105 888d72ffffff 8b0d???????? }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8b0d????????         |                     
            //   888571ffffff         | mov                 byte ptr [ebp - 0x8f], al
            //   a1????????           |                     
            //   c0e105               | shl                 cl, 5
            //   888d72ffffff         | mov                 byte ptr [ebp - 0x8e], cl
            //   8b0d????????         |                     

        $sequence_8 = { f6e9 8b0d???????? 88855affffff a1???????? 8ac1 b172 f6e9 }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8b0d????????         |                     
            //   88855affffff         | mov                 byte ptr [ebp - 0xa6], al
            //   a1????????           |                     
            //   8ac1                 | mov                 al, cl
            //   b172                 | mov                 cl, 0x72
            //   f6e9                 | imul                cl

        $sequence_9 = { ff75d0 e8???????? 83c404 dd05???????? c745e40f000000 c745e000000000 c645d000 }
            // n = 7, score = 100
            //   ff75d0               | push                dword ptr [ebp - 0x30]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   dd05????????         |                     
            //   c745e40f000000       | mov                 dword ptr [ebp - 0x1c], 0xf
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   c645d000             | mov                 byte ptr [ebp - 0x30], 0

    condition:
        7 of them and filesize < 9012224
}
Download all Yara Rules