(F-Secure) SeaDuke is a simple backdoor that focuses on executing commands retrieved from its C&C server, such as uploading and downloading files, executing system commands and evaluating additional Python code. SeaDuke is made interesting by the fact that it is written in Python and designed to be cross-platform so that it works on both Windows and Linux. The only known infection vector for SeaDuke is via an existing {{CozyDuke}} infection, wherein CozyDuke downloads and executes the SeaDuke toolset. Like {{HammerDuke}}, SeaDuke appears to be used by the Dukes group primarily as a secondary backdoor left on CozyDuke victims after that toolset has completed the initial infection and stolen any readily available information from them.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Tool: SeaDuke
Names: SeaDuke, SeaDaddy, SeaDesk, SeaDask
Description: (F-Secure) SeaDuke is a simple backdoor that focuses on executing commands retrieved from its C&C server, such as uploading and downloading files, executing system commands and evaluating additional Python code. SeaDuke is made interesting by the fact that it is written in Python and designed to be cross-platform so that it works on both Windows and Linux. The only known infection vector for SeaDuke is via an existing {{CozyDuke}} infection, wherein CozyDuke downloads and executes the SeaDuke toolset. Like {{HammerDuke}}, SeaDuke appears to be used by the Dukes group primarily as a secondary backdoor left on CozyDuke victims after that toolset has completed the initial infection and stolen any readily available information from them.
Category: Malware
Type: Backdoor, Exfiltration
Information: https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf
Information: https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
Information: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
Mitre-attack: https://attack.mitre.org/software/S0053/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:seaduke
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1078 VALID ACCOUNTS some seaduke samples have a module to extract email from microsoft exchange servers using compromised credentials. | T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL seaduke uses a module to execute mimikatz with powershell to perform pass the ticket. T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL seaduke is capable of executing commands. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER seaduke is capable of persisting via the registry run key or a .lnk file stored in the startup directory. T1547.009 BOOT OR LOGON AUTOSTART EXECUTION : SHORTCUT MODIFICATION seaduke is capable of persisting via a .lnk file stored in the startup directory. T1546.003 EVENT TRIGGERED EXECUTION : WINDOWS MANAGEMENT INSTRUMENTATION EVENT SUBSCRIPTION seaduke uses an event filter in wmi code to execute a previously dropped executable shortly after system startup. T1078 VALID ACCOUNTS some seaduke samples have a module to extract email from microsoft exchange servers using compromised credentials. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER seaduke is capable of persisting via the registry run key or a .lnk file stored in the startup directory. T1547.009 BOOT OR LOGON AUTOSTART EXECUTION : SHORTCUT MODIFICATION seaduke is capable of persisting via a .lnk file stored in the startup directory. T1546.003 EVENT TRIGGERED EXECUTION : WINDOWS MANAGEMENT INSTRUMENTATION EVENT SUBSCRIPTION seaduke uses an event filter in wmi code to execute a previously dropped executable shortly after system startup. T1078 VALID ACCOUNTS some seaduke samples have a module to extract email from microsoft exchange servers using compromised credentials. | T1070.004 INDICATOR REMOVAL : FILE DELETION seaduke can securely delete files, including deleting itself from the victim. T1027.002 OBFUSCATED FILES OR INFORMATION : SOFTWARE PACKING seaduke has been packed with the upx packer. T1550.003 USE ALTERNATE AUTHENTICATION MATERIAL : PASS THE TICKET some seaduke samples have a module to use pass the ticket with kerberos for authentication. T1078 VALID ACCOUNTS some seaduke samples have a module to extract email from microsoft exchange servers using compromised credentials. | T1550.003 USE ALTERNATE AUTHENTICATION MATERIAL : PASS THE TICKET some seaduke samples have a module to use pass the ticket with kerberos for authentication. | T1560.002 ARCHIVE COLLECTED DATA : ARCHIVE VIA LIBRARY seaduke compressed data with zlib prior to sending it over c2. T1114.002 EMAIL COLLECTION : REMOTE EMAIL COLLECTION some seaduke samples have a module to extract email from microsoft exchange servers using compromised credentials. | T1573.001 ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY seaduke c2 traffic has been encrypted with rc4 and aes. |