1. Home
  2. Software
  3. SeaDuke

SeaDuke

SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. [1]

ID: S0053
Associated Software: SeaDaddy, SeaDesk
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 26 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

SeaDuke uses HTTP and HTTPS for C2.[1]
Enterprise T1560 .002 Archive Collected Data: Archive via Library

SeaDuke compressed data with zlib prior to sending it over C2.[2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.[3]
.009 Boot or Logon Autostart Execution: Shortcut Modification

SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.[3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.[4]
.003 Command and Scripting Interpreter: Windows Command Shell

SeaDuke is capable of executing commands.[3]
Enterprise T1132 .001 Data Encoding: Standard Encoding

SeaDuke C2 traffic is base64-encoded.[3]
Enterprise T1114 .002 Email Collection: Remote Email Collection

Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[4]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

SeaDuke C2 traffic has been encrypted with RC4 and AES.[2][3]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup.[5]
Enterprise T1070 .004 Indicator Removal: File Deletion

SeaDuke can securely delete files, including deleting itself from the victim.[4]
Enterprise T1105 Ingress Tool Transfer

SeaDuke is capable of uploading and downloading files.[3]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

SeaDuke has been packed with the UPX packer.[3]
Enterprise T1550 .003 Use Alternate Authentication Material: Pass the Ticket

Some SeaDuke samples have a module to use pass the ticket with Kerberos for authentication.[4]
Enterprise T1078 Valid Accounts

Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.[4]

Groups That Use This Software

ID Name References
G0016 APT29

[1][6][4]

References

  1. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  2. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  3. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  1. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  2. Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
  3. Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.