The FatDuke backdoor has been used by APT29 since at least 2016. It can affect Windows operating systems and has the ability to execute PowerShell scripts. Additionally, it can copy files and directories from a compromised host, get user agent strings for the default browser, and list running processes on the localhost. FatDuke has also been observed to use pipes to connect machines with restricted internet access to remote machines via other infected hosts.
FatDuke Malware Capabilities
- FatDuke may use various techniques to detect and avoid virtualization and analysis environments, as well as to enumerate time-based properties and use timers or other triggers to avoid detection. The malware may also abuse PowerShell commands and scripts for execution, and may interact with the Windows Registry to gather information about the system. In addition, FatDuke may attempt to get information about running processes on a system. Finally, the malware may manipulate features of their artifacts to make them appear legitimate
- FatDuke may use a variety of methods to discover information about a system, including enumerating files and directories or searching for specific information in locations on a host or network share. This information may be used to determine follow-on behaviors, such as whether or not to fully infect a target. FatDuke may also collect system information such as version, patches, hotfixes, service packs, and architecture.
- FatDuke may communicate using application layer protocols associated with web traffic in order to blend in with existing traffic and avoid detection. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic.FatDuke may delete files that are left behind after their intrusion activities in order to minimize their footprint. They may also use software packing or virtual machine software protection to conceal their code.
- FatDuke may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents.If the primary communication channel is compromised or inaccessible, FatDuke may use a fallback or alternate channel in order to maintain reliable command and control. They may also interact with the native OS application programming interface to execute behaviors.
- FatDuke may also abuse PowerShell commands and scripts for execution in order itive data prior to Exfiltration.
- FatDuke is a malware that may interact with the Windows Registry to gather information about the system, configuration, and installed software. It may also attempt to get information about running processes on a system. The information obtained could be used to gain an understanding of common software/applications running on systems within the network.
- The FatDuke malware may use various methods to evade detection and persist on a system, including masquerading as legitimate files, adding entries to the "run keys" in the Windows Registry, and abusing the rundll32.exe process to execute malicious code.
- The FatDuke malware may attempt to discover information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. It may also communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
- The FatDuke malware may delete files, perform software packing, or use virtual machine software protection to conceal their code. They may also attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents.
- FatDuke may interact with the native OS application programming interface.
- FatDuke may employ a known symmetric encryption algorithm to conceal command and control traffic.
- FatDuke may look for details about the network configuration and settings of systems they access.
- FatDuke may use binary padding to add junk data and change the on-disk representation of malware.
Ways to Mitigate FatDuke Malware Attacks Capabilities
- The FatDuke malware can be used to collect files and data from a system. It can be mitigated by setting proper execution policy, monitoring process and command-line arguments, and monitoring for unexpected or unauthorized use of commands.
- The FatDuke malware attack can be mitigated by analyzing network data for uncommon data flows between clients, and by analyzing packet contents to detect communications that do not follow the expected protocol behavior.
- The FatDuke malware attack can be mitigated by collecting file hashes and monitoring file names and Registry changes.
- The FatDuke malware can be mitigated by analyzing network data for uncommon data flows, and by looking for processes that do not follow the expected protocol standards. By doing so, it may be possible to detect and prevent further attacks.
- The FatDuke malware attack can be mitigated by monitoring for command-line deletion functions, using file scanning to look for known software packers or artifacts of packing techniques, and detecting the malicious activity that caused the obfuscated file.
- FatDuke malware attacks can be difficult to detect and may use legitimate Windows API calls to obfuscate its activities. However, process and command-line monitoring, as well as analysis of network data, may help to uncover malicious behavior.
- TheFatDuke malware can be mitigated by using symmetric encryption to decode network traffic and detect malware communications signatures. Additionally, system and network discovery techniques can be used to identify potential FatDuke activity, and file-based signatures may be able to detect padded files used by the malware.