SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fatduke (Back to overview)

FatDuke

Actor(s): APT 29


According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.

References
2020SecureworksSecureWorks
@online{secureworks:2020:iron:59396c7, author = {SecureWorks}, title = {{IRON HEMLOCK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hemlock}, language = {English}, urldate = {2020-05-23} } IRON HEMLOCK
FatDuke MiniDuke OnionDuke PolyglotDuke APT 29
2019-10-17ESET ResearchMatthieu Faou, Mathieu Tartare, Thomas Dupuy
@techreport{faou:20191017:operation:b695c9b, author = {Matthieu Faou and Mathieu Tartare and Thomas Dupuy}, title = {{OPERATION GHOST The Dukes aren’t back — they never left}}, date = {2019-10-17}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf}, language = {English}, urldate = {2020-05-18} } OPERATION GHOST The Dukes aren’t back — they never left
FatDuke
Yara Rules
[TLP:WHITE] win_fatduke_auto (20220808 | Detects win.fatduke.)
rule win_fatduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.fatduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 8b4de4 81c1d0000000 e9???????? 8b4de4 81c1e8000000 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   81c1d0000000         | add                 ecx, 0xd0
            //   e9????????           |                     
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   81c1e8000000         | add                 ecx, 0xe8
            //   e9????????           |                     

        $sequence_1 = { e9???????? 8b8de4feffff 81c138070000 e9???????? 8b8decfeffff e9???????? 8b8de4feffff }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b8de4feffff         | mov                 ecx, dword ptr [ebp - 0x11c]
            //   81c138070000         | add                 ecx, 0x738
            //   e9????????           |                     
            //   8b8decfeffff         | mov                 ecx, dword ptr [ebp - 0x114]
            //   e9????????           |                     
            //   8b8de4feffff         | mov                 ecx, dword ptr [ebp - 0x11c]

        $sequence_2 = { e9???????? 8b4df0 81c144030000 e9???????? 8b4df0 81c148030000 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   81c144030000         | add                 ecx, 0x344
            //   e9????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   81c148030000         | add                 ecx, 0x348
            //   e9????????           |                     

        $sequence_3 = { f6e9 8b0d???????? 8845b1 a1???????? 8ac1 b179 f6e9 }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8b0d????????         |                     
            //   8845b1               | mov                 byte ptr [ebp - 0x4f], al
            //   a1????????           |                     
            //   8ac1                 | mov                 al, cl
            //   b179                 | mov                 cl, 0x79
            //   f6e9                 | imul                cl

        $sequence_4 = { e8???????? c645fc27 8d8fb0030000 68???????? e8???????? c645fc28 8d8fd8030000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c645fc27             | mov                 byte ptr [ebp - 4], 0x27
            //   8d8fb0030000         | lea                 ecx, [edi + 0x3b0]
            //   68????????           |                     
            //   e8????????           |                     
            //   c645fc28             | mov                 byte ptr [ebp - 4], 0x28
            //   8d8fd8030000         | lea                 ecx, [edi + 0x3d8]

        $sequence_5 = { e8???????? c645fc53 6aff 6a00 50 8d4d8c e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c645fc53             | mov                 byte ptr [ebp - 4], 0x53
            //   6aff                 | push                -1
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8d4d8c               | lea                 ecx, [ebp - 0x74]
            //   e8????????           |                     

        $sequence_6 = { e9???????? 8d8d78ecffff e9???????? 8d8df8edffff e9???????? 8d8d58f3ffff e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8d8d78ecffff         | lea                 ecx, [ebp - 0x1388]
            //   e9????????           |                     
            //   8d8df8edffff         | lea                 ecx, [ebp - 0x1208]
            //   e9????????           |                     
            //   8d8d58f3ffff         | lea                 ecx, [ebp - 0xca8]
            //   e9????????           |                     

        $sequence_7 = { f6e9 8885c6feffff a1???????? 8b0d???????? b170 f6e9 8885c7feffff }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8885c6feffff         | mov                 byte ptr [ebp - 0x13a], al
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   b170                 | mov                 cl, 0x70
            //   f6e9                 | imul                cl
            //   8885c7feffff         | mov                 byte ptr [ebp - 0x139], al

        $sequence_8 = { f6e9 888571ffffff a1???????? 8b0d???????? b172 f6e9 888572ffffff }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   888571ffffff         | mov                 byte ptr [ebp - 0x8f], al
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   b172                 | mov                 cl, 0x72
            //   f6e9                 | imul                cl
            //   888572ffffff         | mov                 byte ptr [ebp - 0x8e], al

        $sequence_9 = { f6e9 8885b3f3ffff a1???????? 8b0d???????? b16e f6e9 8885b4f3ffff }
            // n = 7, score = 100
            //   f6e9                 | imul                cl
            //   8885b3f3ffff         | mov                 byte ptr [ebp - 0xc4d], al
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   b16e                 | mov                 cl, 0x6e
            //   f6e9                 | imul                cl
            //   8885b4f3ffff         | mov                 byte ptr [ebp - 0xc4c], al

    condition:
        7 of them and filesize < 9012224
}
Download all Yara Rules