Duke APT group adds low-profile SeaDuke Trojan to their malware arsenal
“Not much is known about the cyber espionage group that wields the so-called “Dukes”: backdoors and information stealers that all have “Duke” in their name, and have been used to compromise high-value, government-level targets.
Various researchers and companies have been tracking the group’s campaigns for several years, as they attacked multiple government entities and institutions in Europe; a research institute, two think tanks, and healthcare provider in the US; a research foundation in Hungary; and the US State Department and the White House.
The nature of the targets seems to indicate that the group is of Russian origin and works toward promoting Russian interests. Also, last year’s discovery of a malicious Tor exit node located in Russia that added malicious code to the software downloaded by users has been tied to the group.
For their attacks, they use several malware tools: the MiniDuke backdoor, the CozyDuke backdoor and downloader Trojan, the CosmicDuke backdoor and info-stealer.
The latest addition to their arsenal is the SeaDuke backdoor and downloader Trojan.
“SeaDuke is a low-profile information-stealing Trojan which appears to be reserved for attacks against a small number of high-value targets. SeaDuke victims are generally first infected with CozyDuke and, if the computer appears to be a target of interest, the operators will install SeaDuke,” Symantec researchers have found.
“The malware hides behind numerous layers of encryption and obfuscation and is capable of quietly stealing and exfiltrating sensitive information such as email from the victims computer.”
The researchers speculate that SeaDuke has only been recently deployed by the group because their cover was blown and they had to switch to an alternative framework.
“The SeaDuke framework was designed to be highly configurable. Hundreds of reconfigurations were identified on compromised networks. The communication protocol employed had many layers of encryption and obfuscation, using over 200 compromised web servers for command and control,” they noted.
Obviously, a lot of time, effort and resources went into creating and deploying it.
“The SeaDuke control infrastructure is essentially distinct, opening up the possibility of sub-teams concurrently exploiting the target network. Unlike CozyDuke, SeaDuke operators upload ‘task’ files directly to the command-and-control (C&C) server; there is no database as such present,” they shared.
“SeaSuke securely communicates with the C&C server over HTTP/HTTPS beneath layers of encoding (Base64) and encryption (RC4, AES). To an untrained eye, the communications look fairly benign, no doubt an effort to stay under the radar on compromised networks.”
SeaDuke is capable of doing many things: upload, download, and delete files, retrieve system information and send it to the attackers, delete itself from the system, extracting emails from MS Exchange Servers using compromised credentials, exfiltrate data via legitimate cloud services, and more.”