Pierluigi Paganini July 14, 2015

Security researchers at Symantec have analyzed Seaduke, a sophisticated Trojan used by threat actors behind the “Duke” malware family.

Security experts at Symantec security firm have analyzed the Trojan.Seaduke, a malware that was used by the APT group behind the Duke espionage campaigns that targeted numerous government organizations worldwide.

The Seaduke has many similarities with other malicious codes used by threat actor behind the Duke campaign, like CosmicDuke, CozyDuke, MiniDuke, OnionDuke. For this reason, malware researchers speculate that there is the same development team behind these malicious codes.

“The group behind Seaduke is a cyberespionage operation that is responsible for a series of attacks against high-profile individuals and organizations in government, international policy and private research in the United States and Europe. It has a range of malware tools at its disposal, known as the Dukes, including Cozyduke (Trojan.Cozer), Miniduke (Backdoor.Miniduke) and Cosmicduke (Backdoor.Tinybaron).  News of the Duke group first emerged in  March and April of 2015, when reports detailing attacks involving a sophisticated threat actor variously called Office Monkeys, EuroAPT, Cozy Bear, and Cozyduke were published. Symantec believes that this group has a history of compromising governmental and diplomatic organizations since at least 2010.” states the report published by Symantec.

Security experts explained that MiniDuke, OnionDuke, along with CosmicDuke are managed by Russian-speaking authors and some origin appear to have also CozyDuke.

“CozyDuke is definitely connected to these two campaigns, as well as to the OnionDuke cyberespionage operation,” explained Baumgartner, Principal Researcher at Kaspersky Lab’s Global Research and Analysis Team “Every one of these threat actors continues to track their targets, and we believe their espionage tools are all created and managed by Russian-speakers.”

The coreshell and chopstick components for the CozyDuke backdoor remind experts of other advanced persistent threat actor, the APT28 group, which is considered a state-sponsored hacking collective responsible for the cyber attacks against the US State Department and the White House.

Symantec researchers believed the group behind the Duke campaigns has a Russian origin and is active since at least 2010.

Seaduke is served on the target systems by the CozyDuke malware, which download and execute the malicious code from a compromised website.

Experts highlighted that Seaduke was used only to target important targets and syphon sensitive data. The Seaduke malware has a modular structure, it is able to perform a number of actions by loading the specific payloads.
The Seaduke payloads allow the malware to perform the following operations:

• Impersonation using Kerberos pass-the-ticket attacks (Mimikatz PowerShell) 
• Email extraction from the MS Exchange Server using compromised credentials
• Archiving sensitive information
• Data exfiltration via legitimate cloud services
• Secure file deletion

The researchers explained that the operators behind the Seaduke campaign rely on more than 200 compromised web servers as control infrastructure.

“The malware hides behind numerous layers of encryption and obfuscation and is capable of quietly stealing and exfiltrating sensitive information such as email from the victim’s computer. Seaduke has a highly configurable framework and Symantec has already found hundreds of different configurations on compromised networks.” reports Symantec.

Pierluigi Paganini

(Security Affairs – Seaduke, malware)