PowerDuke

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
PowerDuke is a sophisticated malware first observed in August 2016 and used extensively by APT28, an advanced persistent threat group. It is designed to create backdoors in compromised systems, which allows the attackers to maintain access and control over these systems. The malware infects systems through various methods, such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, PowerDuke can steal personal information, disrupt operations, or even hold data hostage for ransom. Notably, PowerDuke has been used in targeted attack campaigns against universities, replacing think tanks as the primary targets. PowerDuke exhibits an extensive list of features that enable the attackers, known as the Dukes, to examine and control a system. These features include the ability to drop files into specific directories like "%APPDATA\Roaming\Skype\", "%APPDATA\Roaming\Dell\", "%APPDATA\Roaming\Apple\", and "%APPDATA\Roaming\HP\" with persistence via HKCU Run Keys. The malware also uses Microsoft shortcut files with embedded PowerShell and clean decoy documents to deceive users and evade detection. Volexity, the cybersecurity firm that named this backdoor PowerDuke, suspects that its feature set is an extension of the anti-VM capabilities present in the initial dropper files. Despite PowerDuke's extensive capabilities, not all aspects of this malware have been fully examined. Volexity has noted that PowerDuke appears to support additional commands not described above, indicating its potential for further harm. Moreover, it has been observed that PowerDuke uses alternate data streams (ADS) to hide and encrypt its backdoor component within PNG files using the Tiny Encryption Algorithm (TEA), making it even more difficult to detect and neutralize. Given the complexity and versatility of PowerDuke, it remains a significant cybersecurity threat.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Volexity
Malware
Loader
Encryption
Decoy
Dropper
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
The DukesUnspecified
1
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and several other aliases, is a highly active threat actor group widely believed to be associated with the Russian Foreign Intelligence Service (SVR). The group has been operational since at least 2008, targeting various governments, thin
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the PowerDuke Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs
CERT-EU
a year ago
Art of the Hunt: Building a Threat Hunting Hypothesis List