PowerDuke

PowerDuke is a sophisticated malware first observed in August 2016 and used extensively by APT28, an advanced persistent threat group. It is designed to create backdoors in compromised systems, which allows the attackers to maintain access and control over these systems. The malware infects systems through various methods, such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, PowerDuke can steal personal information, disrupt operations, or even hold data hostage for ransom. Notably, PowerDuke has been used in targeted attack campaigns against universities, replacing think tanks as the primary targets. PowerDuke exhibits an extensive list of features that enable the attackers, known as the Dukes, to examine and control a system. These features include the ability to drop files into specific directories like "%APPDATA\Roaming\Skype\", "%APPDATA\Roaming\Dell\", "%APPDATA\Roaming\Apple\", and "%APPDATA\Roaming\HP\" with persistence via HKCU Run Keys. The malware also uses Microsoft shortcut files with embedded PowerShell and clean decoy documents to deceive users and evade detection. Volexity, the cybersecurity firm that named this backdoor PowerDuke, suspects that its feature set is an extension of the anti-VM capabilities present in the initial dropper files. Despite PowerDuke's extensive capabilities, not all aspects of this malware have been fully examined. Volexity has noted that PowerDuke appears to support additional commands not described above, indicating its potential for further harm. Moreover, it has been observed that PowerDuke uses alternate data streams (ADS) to hide and encrypt its backdoor component within PNG files using the Tiny Encryption Algorithm (TEA), making it even more difficult to detect and neutralize. Given the complexity and versatility of PowerDuke, it remains a significant cybersecurity threat.