OnionDuke is a malware family that had been distributed via the Tor network since at least October 2013. since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites.

Behavior Edit

The trojan uses the malicious Tor exit node to distribute the OnionDuke dropper, detected as Trojan-Dropper:W32/OnionDuke.A. The dropper contains a PE resource that appears to be an embedded GIF image file, but in reality it's a DLL file that's decrypted, written to the disk, and executed.

The DLL file, detected as Backdoor:W32/OnionDuke.B, decrypts the embedded configuration file and attempts to connect to the hardcoded C&C domains specified in it.

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.