SEADUKE

SeaDuke appeared in October 2014, after the disclosure of most of the Duke campaigns. Like the majority of the Duke family, SeaDuke exclusively targets government organizations. The main difference between Seaduke and its sister campaigns is that SeaDuke focuses on a small number of high-value targets. Additionally, of the Duke malware, SeaDuke alone is programmed in python. This developers’ choice could indicate that the group is expanding their victim pool to Linux systems as well as Windows hosts. The overall framework of the malware remains similar to CozyDuke.

SeaDuke is a highly configurable trojan and backdoor that is often installed onto victim systems through CozyDuke or via a compromised website. It has hundreds of possible configurations According to Symantec, the threat actor behind CozyDuke may only deploy SeaDuke in systems belonging to “major government-level targets.” SeaDuke primarily allows the attacker to upload, to download, and to delete files on the victim machine as well as to retrieve bot/ system information and to update the bot configuration. It is possible that the threat actor deploys the malware to remove the indicators of compromise from other campaigns after a successful breach. The trojan may also be used to conduct pass the ticket attacks on Kerberos systems, to steal emails from Microsoft Exchange servers using compromised credentials, to archive sensitive data, or to exfiltrate data through legitimate cloud services. The C&C infrastructure behind SeaDuke relies on over 200 compromised web servers and several layers of RC4 and AES encryption and Base 64 encoding techniques. These extra obfuscation measures may be an attempt to remain undiscovered and thereby remove the attention on the Duke campaigns. SeaDuke communicates with its C&C servers via HTTP(s).

Click to Share This Post

Type: Nation-State Sponsor

Status: Believed actove

Other Names: SeaDaddy/ SeaDask

Active Since/Discovered: October 2014

Last Report: Spring 2015

Targets: Small number of high-value targets, major-government targets, Diplomatic targets

Target Sectors: Government

SeaDuke – Secondary backdoor for CozyCar infections
- HTTP(s) C2 communication
  - Traffic is Base64 encoded and encrypted with RC4 and AES
  - Data compressed with zlib
- Focus on executing C2 commands
- module to extract email from Microsoft Exchange servers using compromised credentials.
- module to use pass the ticket with Kerberos for authentication
- can securely delete files, including deleting itself from the victim
- uses an event filter in WMI code to execute a previously dropped executable shortly after system startup
- uses a module to execute Mimikatz with PowerShell to perform “Pass the Ticket” Kerberos attacks
- persistence via the Registry Run key
- persistence via .lnk file stored in the Startup directory.
- uploading and downloading files, executing system commands and evaluating additional Python code
- Hundreds of possible configurations
- Download, and delete victim files

Preferred Attack Vector: CozyDuke infection, watering-hole attack

Written in Python
Executes on both Windows and Linux
Used in pass-the-ticket Kerberos attacks
Used to steal Microsoft Exchange emails
C2 infrastructure- 200 compromised web servers behind layers of RC4 and AES encryption and Base 64 encoding techniques

Unique:

Primarily a secondary backdoor for other Duke campaigns
May be used to remove other Duke campaign IoCs from victim systems