#seaduke

SeaDuke appeared in October 2014, after the disclosure of most of the Duke campaigns. Like the majority of the Duke family, SeaDuke exclusively targets government organizations. The main difference between Seaduke and its sister campaigns is that SeaDuke focuses on a small number of high-value targets. Additionally, of the Duke malware, SeaDuke alone is programmed in python. This developers’ choice could indicate that the group is expanding their victim pool to Linux systems as well as Windows hosts. The overall framework of the malware remains similar to CozyDuke. SeaDuke is a highly configurable trojan and backdoor that is often installed onto victim systems through CozyDuke or via a compromised website. It has hundreds of possible configurations According to Symantec, the threat actor behind CozyDuke may only deploy SeaDuke in systems belonging to “major government-level targets.” SeaDuke primarily allows the attacker to upload, to download, and to delete files on the victim machine as well as to retrieve bot/ system information and to update the bot configuration. It is possible that the threat actor deploys the malware to remove the indicators of compromise from other campaigns after a successful breach. The trojan may also be used to conduct pass the ticket attacks on Kerberos systems, to steal emails from Microsoft Exchange servers using compromised credentials, to archive sensitive data, or to exfiltrate data through legitimate cloud services. The C&C infrastructure behind SeaDuke relies on over 200 compromised web servers and several layers of RC4 and AES encryption and Base 64 encoding techniques. These extra obfuscation measures may be an attempt to remain undiscovered and thereby remove the attention on the Duke campaigns. SeaDuke communicates with its C&C servers via HTTP(s).

Discovered in June 2015, CloudDuke is the most recent Duke campaign. The campaign may be a tactical shift in response to the widespread disclosure of the other Duke campaigns by security firms such as Kaspersky, Symantec, and F-Secure. CloudDuke relies on spear phishing emails that closely resemble those deployed in the CozyDuke campaign. The CloudDuke emails contain a self-extracting archive attachment that appears as an empty voicemail file (.wav) or a PDF file (often containing the word “terrorism”). If opened, then the second stage dropper executes. So far, the campaign has targeted European diplomatic organizations. The CloudDuke malware is comprised of a downloader, a loader, and two backdoors, which download and execute from either web address or from a Microsoft OneDrive account. The malware maps a OneDrive cloud storage drive as a network drive using hardcoded credentials and then it downloads its backdoors to the local system. The downloader may also download and execute additional malware, likely another Duke malware, from a preconfigured location. CloudDuke’s backdoor functionality resembles that of SeaDuke. One backdoor will contact a preconfigured C&C server while the other relies on a Microsoft OneDrive account. As per its name, CloudDuke uses cloud storage services for its command and control infrastructure as well as its data exfiltration method.

SeaDuke appeared in October 2014, after the disclosure of most of the Duke campaigns. Like the majority of the Duke family, SeaDuke exclusively targets government organizations. The main difference between Seaduke and its sister campaigns is that SeaDuke focuses on a small number of high-value targets. Additionally, of the Duke malware, SeaDuke alone is programmed in python. This developers’ choice could indicate that the group is expanding their victim pool to Linux systems as well as Windows hosts. The overall framework of the malware remains similar to CozyDuke. SeaDuke is a highly configurable trojan and backdoor that is often installed onto victim systems through CozyDuke or via a compromised website. It has hundreds of possible configurations According to Symantec, the threat actor behind CozyDuke may only deploy SeaDuke in systems belonging to “major government-level targets.” SeaDuke primarily allows the attacker to upload, to download, and to delete files on the victim machine as well as to retrieve bot/ system information and to update the bot configuration. It is possible that the threat actor deploys the malware to remove the indicators of compromise from other campaigns after a successful breach. The trojan may also be used to conduct pass the ticket attacks on Kerberos systems, to steal emails from Microsoft Exchange servers using compromised credentials, to archive sensitive data, or to exfiltrate data through legitimate cloud services. The C&C infrastructure behind SeaDuke relies on over 200 compromised web servers and several layers of RC4 and AES encryption and Base 64 encoding techniques. These extra obfuscation measures may be an attempt to remain undiscovered and thereby remove the attention on the Duke campaigns. SeaDuke communicates with its C&C servers via HTTP(s).