S0053 SeaDuke
SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. 1
| Item | Value |
|---|---|
| ID | S0053 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 26 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | SeaDuke uses HTTP and HTTPS for C2.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.002 | Archive via Library | SeaDuke compressed data with zlib prior to sending it over C2.4 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.3 |
| enterprise | T1547.009 | Shortcut Modification | SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.2 |
| enterprise | T1059.003 | Windows Command Shell | SeaDuke is capable of executing commands.3 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | SeaDuke C2 traffic is base64-encoded.3 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.002 | Remote Email Collection | Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | SeaDuke C2 traffic has been encrypted with RC4 and AES.43 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.003 | Windows Management Instrumentation Event Subscription | SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup.5 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | SeaDuke can securely delete files, including deleting itself from the victim.2 |
| enterprise | T1105 | Ingress Tool Transfer | SeaDuke is capable of uploading and downloading files.3 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | SeaDuke has been packed with the UPX packer.3 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.003 | Pass the Ticket | Some SeaDuke samples have a module to use pass the ticket with Kerberos for authentication.2 |
| enterprise | T1078 | Valid Accounts | Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 162 |
References
-
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. ↩↩↩
-
Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015. ↩↩↩↩↩↩
-
Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. ↩↩↩↩↩↩↩
-
Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. ↩↩
-
Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. ↩
-
Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022. ↩