Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. OnionDuke

OnionDuke

OnionDuke is malware that was used by APT29 from 2013 to 2015. [1]

ID: S0052
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 23 September 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

OnionDuke uses HTTP and HTTPS for C2.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

OnionDuke can use a custom decryption algorithm to decrypt strings.[2]
Enterprise T1499 Endpoint Denial of Service

OnionDuke has the capability to use a Denial of Service module.[2]
Enterprise T1003 OS Credential Dumping

OnionDuke steals credentials from its victims.[1]
Enterprise T1102 .003 Web Service: One-Way Communication

OnionDuke uses Twitter as a backup C2.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2]

References

  1. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  1. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.