1. Home
  2. Software
  3. SeaDuke

SeaDuke

SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. [1]

ID: S0053
Associated Software: SeaDaddy, SeaDesk
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 26 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup.[2]
Enterprise T1550 .003 使用备用认证材料: Pass the Ticket

Some SeaDuke samples have a module to use pass the ticket with Kerberos for authentication.[3]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

SeaDuke C2 traffic has been encrypted with RC4 and AES.[4][5]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.[5]
.009 启动或登录自动启动执行: Shortcut Modification

SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.[5]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.[3]
.003 命令与脚本解释器: Windows Command Shell

SeaDuke is capable of executing commands.[5]
Enterprise T1071 .001 应用层协议: Web Protocols

SeaDuke uses HTTP and HTTPS for C2.[1]
Enterprise T1560 .002 归档收集数据: Archive via Library

SeaDuke compressed data with zlib prior to sending it over C2.[4]
Enterprise T1132 .001 数据编码: Standard Encoding

SeaDuke C2 traffic is base64-encoded.[5]
Enterprise T1078 有效账户

Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[3]
Enterprise T1027 .002 混淆文件或信息: Software Packing

SeaDuke has been packed with the UPX packer.[5]
Enterprise T1114 .002 电子邮件收集: Remote Email Collection

Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[3]
Enterprise T1070 .004 移除指标: File Deletion

SeaDuke can securely delete files, including deleting itself from the victim.[3]
Enterprise T1105 输入工具传输

SeaDuke is capable of uploading and downloading files.[5]

Groups That Use This Software

ID Name References
G0016 APT29

[1][6][3]

References

  1. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  2. Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
  3. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  1. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  2. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  3. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.