Researchers at Symantec have analyzed Seaduke, one of the Trojans used by the advanced persistent threat (APT) actor behind the “Duke” malware family.
Detected by the security firm as Trojan.Seaduke, the threat has been used by the cyber espionage group in attacks against high-value targets, mainly government organizations.
Similarities between Seaduke, CozyDuke, MiniDuke, OnionDuke and CosmicDuke have led experts to believe that the developers of these threats are the same, or at least they work together. Symantec says the threat actor, which is believed by some to have Russian roots, has been targeting government and diplomatic organizations since at least 2010.
Seaduke is installed on computers through CozyDuke, which can be instructed to download and execute the Trojan from a compromised website.
Symantec researchers noticed that CozyDuke, which had been used in attacks against the US State Department and the White House, started deploying the Seaduke payload in October 2014, several months after the threat group launched its current campaign in March 2014.
Experts pointed out that Seaduke was delivered only to certain systems infected with CozyDuke, which could indicate that the threat actor is saving Seaduke for important targets. Symantec says the malware has been used in attacks against “major, government-level targets.”
While it’s possible that Seaduke is reserved for specific targets, it’s also possible that the APT actor’s cover was blown, requiring the use of an alternative framework, the security firm noted in a blog post published on Monday.
Once it’s deployed on a system, Seaduke allows the attackers to retrieve system information, download and upload files, and delete the malware. In addition, attackers can use the Trojan for impersonation through Kerberos pass-the-ticket attacks, extract emails from Microsoft Exchange servers using compromised credentials, archive sensitive data, and exfiltrate information via legitimate cloud services.
Seaduke is highly configurable, with hundreds of different configurations being identified on compromised systems by Symantec experts.
As for command and control (C&C) communications, the attackers use several layers of encryption and obfuscation, and they rely on more than 200 compromised web servers to communicate with the malware. The use of encryption and obfuscation for C&C communications increases the malware’s chances of staying under the radar.
On the other hand, the use of these techniques means that the attackers have to invest a lot of time and resources in the preparatory and operational phases of an attack, Symantec said.
The group behind the Duke malware family is currently trying to keep a low profile, but the attention it has attracted over the past period due to its attacks on high-profile targets doesn’t seem to have disturbed it.