Discovered in June 2015, CloudDuke is the most recent Duke campaign. The campaign may be a tactical shift in response to the widespread disclosure of the other Duke campaigns by security firms such as Kaspersky, Symantec, and F-Secure. CloudDuke relies on spear phishing emails that closely resemble those deployed in the CozyDuke campaign. The CloudDuke emails contain a self-extracting archive attachment that appears as an empty voicemail file (.wav) or a PDF file (often containing the word “terrorism”). If opened, then the second stage dropper executes. So far, the campaign has targeted European diplomatic organizations.
The CloudDuke malware is comprised of a downloader, a loader, and two backdoors, which download and execute from either web address or from a Microsoft OneDrive account. The malware maps a OneDrive cloud storage drive as a network drive using hardcoded credentials and then it downloads its backdoors to the local system. The downloader may also download and execute additional malware, likely another Duke malware, from a preconfigured location. CloudDuke’s backdoor functionality resembles that of SeaDuke. One backdoor will contact a preconfigured C&C server while the other relies on a Microsoft OneDrive account. As per its name, CloudDuke uses cloud storage services for its command and control infrastructure as well as its data exfiltration method.