CLOUDDUKE

Your consent is required to display this content from youtube - Privacy Settings

Discovered in June 2015, CloudDuke is the most recent Duke campaign. The campaign may be a tactical shift in response to the widespread disclosure of the other Duke campaigns by security firms such as Kaspersky, Symantec, and F-Secure. CloudDuke relies on spear phishing emails that closely resemble those deployed in the CozyDuke campaign. The CloudDuke emails contain a self-extracting archive attachment that appears as an empty voicemail file (.wav) or a PDF file (often containing the word “terrorism”). If opened, then the second stage dropper executes. So far, the campaign has targeted European diplomatic organizations.

The CloudDuke malware is comprised of a downloader, a loader, and two backdoors, which download and execute from either web address or from a Microsoft OneDrive account. The malware maps a OneDrive cloud storage drive as a network drive using hardcoded credentials and then it downloads its backdoors to the local system. The downloader may also download and execute additional malware, likely another Duke malware, from a preconfigured location. CloudDuke’s backdoor functionality resembles that of SeaDuke. One backdoor will contact a preconfigured C&C server while the other relies on a Microsoft OneDrive account. As per its name, CloudDuke uses cloud storage services for its command and control infrastructure as well as its data exfiltration method.

Click to Share This Post

Type: Nation-State Sponsor

Status: Believed active

Other Names: MiniDionis/ CloudLook

Active Since/Discovered: June 2015

Last Report: Summer 2015

Targets: Pentagon, Department of Defense

Target Sectors: Government

Malware:

  • CloudDuke/ MiniDionis/ CloudLook- Downloader, Information stealer, and backdoor
    • Downloader
      • Downloads and executes additional malware from preconfigured web address or Microsoft OneDrive account
    • Loader
    • uses a Microsoft OneDrive account to exchange commands and stolen data with its operators
    • Can download and execute malware from a web address or OneDrive account
    • Two backdoor variants
      • Both support backdoor functionality
      • One uses preconfigured C2 servers over HTTP(S)
      • Other uses a Microsoft OneDrive account to exchange commands and stolen data

Preferred Attack Vector:  Spear-phishing emails

  • Communicates with C2 via HTTP(S) and Microsoft OneDrive
  • Spear-phishing emails contain a self-extracting archive attachment that appears as an empty voicemail file (.wav) or a PDF file (often containing the word “terrorism”

Unique:

  • May be a tactical shift in the Duke campaign
© 2020 ArtOfTheHak.All Rights Reserved
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Save