SeaDuke appeared in October 2014, after the disclosure of most of the Duke campaigns. Like the majority of the Duke family, SeaDuke exclusively targets government organizations. The main difference between Seaduke and its sister campaigns is that SeaDuke focuses on a small number of high-value targets. Additionally, of the Duke malware, SeaDuke alone is programmed in python. This developers’ choice could indicate that the group is expanding their victim pool to Linux systems as well as Windows hosts. The overall framework of the malware remains similar to CozyDuke.

SeaDuke is a highly configurable trojan and backdoor that is often installed onto victim systems through CozyDuke or via a compromised website. It has hundreds of possible configurations According to Symantec, the threat actor behind CozyDuke may only deploy SeaDuke in systems belonging to “major government-level targets.” SeaDuke primarily allows the attacker to upload, to download, and to delete files on the victim machine as well as to retrieve bot/ system information and to update the bot configuration. It is possible that the threat actor deploys the malware to remove the indicators of compromise from other campaigns after a successful breach. The trojan may also be used to conduct pass the ticket attacks on Kerberos systems, to steal emails from Microsoft Exchange servers using compromised credentials, to archive sensitive data, or to exfiltrate data through legitimate cloud services. The C&C infrastructure behind SeaDuke relies on over 200 compromised web servers and several layers of RC4 and AES encryption and Base 64 encoding techniques. These extra obfuscation measures may be an attempt to remain undiscovered and thereby remove the attention on the Duke campaigns. SeaDuke communicates with its C&C servers via HTTP(s).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s