Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

APT Group Uses Seaduke Trojan to Steal Data From High-Value Targets

Researchers at Symantec have analyzed Seaduke, one of the Trojans used by the advanced persistent threat (APT) actor behind the “Duke” malware family.

Detected by the security firm as Trojan.Seaduke, the threat has been used by the cyber espionage group in attacks against high-value targets, mainly government organizations.

Researchers at Symantec have analyzed Seaduke, one of the Trojans used by the advanced persistent threat (APT) actor behind the “Duke” malware family.

Detected by the security firm as Trojan.Seaduke, the threat has been used by the cyber espionage group in attacks against high-value targets, mainly government organizations.

Similarities between Seaduke, CozyDuke, MiniDuke, OnionDuke and CosmicDuke have led experts to believe that the developers of these threats are the same, or at least they work together. Symantec says the threat actor, which is believed by some to have Russian roots, has been targeting government and diplomatic organizations since at least 2010.

Seaduke is installed on computers through CozyDuke, which can be instructed to download and execute the Trojan from a compromised website.

Symantec researchers noticed that CozyDuke, which had been used in attacks against the US State Department and the White House, started deploying the Seaduke payload in October 2014, several months after the threat group launched its current campaign in March 2014.

Experts pointed out that Seaduke was delivered only to certain systems infected with CozyDuke, which could indicate that the threat actor is saving Seaduke for important targets. Symantec says the malware has been used in attacks against “major, government-level targets.”

While it’s possible that Seaduke is reserved for specific targets, it’s also possible that the APT actor’s cover was blown, requiring the use of an alternative framework, the security firm noted in a blog post published on Monday.

Once it’s deployed on a system, Seaduke allows the attackers to retrieve system information, download and upload files, and delete the malware. In addition, attackers can use the Trojan for impersonation through Kerberos pass-the-ticket attacks, extract emails from Microsoft Exchange servers using compromised credentials, archive sensitive data, and exfiltrate information via legitimate cloud services.

Seaduke is highly configurable, with hundreds of different configurations being identified on compromised systems by Symantec experts.

As for command and control (C&C) communications, the attackers use several layers of encryption and obfuscation, and they rely on more than 200 compromised web servers to communicate with the malware. The use of encryption and obfuscation for C&C communications increases the malware’s chances of staying under the radar.

On the other hand, the use of these techniques means that the attackers have to invest a lot of time and resources in the preparatory and operational phases of an attack, Symantec said.

The group behind the Duke malware family is currently trying to keep a low profile, but the attention it has attracted over the past period due to its attacks on high-profile targets doesn’t seem to have disturbed it.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.