Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

APT Group Uses Seaduke Trojan to Steal Data From High-Value Targets

Researchers at Symantec have analyzed Seaduke, one of the Trojans used by the advanced persistent threat (APT) actor behind the “Duke” malware family.

Detected by the security firm as Trojan.Seaduke, the threat has been used by the cyber espionage group in attacks against high-value targets, mainly government organizations.

Researchers at Symantec have analyzed Seaduke, one of the Trojans used by the advanced persistent threat (APT) actor behind the “Duke” malware family.

Detected by the security firm as Trojan.Seaduke, the threat has been used by the cyber espionage group in attacks against high-value targets, mainly government organizations.

Similarities between Seaduke, CozyDuke, MiniDuke, OnionDuke and CosmicDuke have led experts to believe that the developers of these threats are the same, or at least they work together. Symantec says the threat actor, which is believed by some to have Russian roots, has been targeting government and diplomatic organizations since at least 2010.

Seaduke is installed on computers through CozyDuke, which can be instructed to download and execute the Trojan from a compromised website.

Symantec researchers noticed that CozyDuke, which had been used in attacks against the US State Department and the White House, started deploying the Seaduke payload in October 2014, several months after the threat group launched its current campaign in March 2014.

Experts pointed out that Seaduke was delivered only to certain systems infected with CozyDuke, which could indicate that the threat actor is saving Seaduke for important targets. Symantec says the malware has been used in attacks against “major, government-level targets.”

While it’s possible that Seaduke is reserved for specific targets, it’s also possible that the APT actor’s cover was blown, requiring the use of an alternative framework, the security firm noted in a blog post published on Monday.

Once it’s deployed on a system, Seaduke allows the attackers to retrieve system information, download and upload files, and delete the malware. In addition, attackers can use the Trojan for impersonation through Kerberos pass-the-ticket attacks, extract emails from Microsoft Exchange servers using compromised credentials, archive sensitive data, and exfiltrate information via legitimate cloud services.

Advertisement. Scroll to continue reading.

Seaduke is highly configurable, with hundreds of different configurations being identified on compromised systems by Symantec experts.

As for command and control (C&C) communications, the attackers use several layers of encryption and obfuscation, and they rely on more than 200 compromised web servers to communicate with the malware. The use of encryption and obfuscation for C&C communications increases the malware’s chances of staying under the radar.

On the other hand, the use of these techniques means that the attackers have to invest a lot of time and resources in the preparatory and operational phases of an attack, Symantec said.

The group behind the Duke malware family is currently trying to keep a low profile, but the attention it has attracted over the past period due to its attacks on high-profile targets doesn’t seem to have disturbed it.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.