Skip to content

S0053 SeaDuke

SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. 1

Item Value
ID S0053
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 26 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SeaDuke uses HTTP and HTTPS for C2.1
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library SeaDuke compressed data with zlib prior to sending it over C2.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.4
enterprise T1547.009 Shortcut Modification SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.4
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.2
enterprise T1059.003 Windows Command Shell SeaDuke is capable of executing commands.4
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding SeaDuke C2 traffic is base64-encoded.4
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography SeaDuke C2 traffic has been encrypted with RC4 and AES.34
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup.5
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion SeaDuke can securely delete files, including deleting itself from the victim.2
enterprise T1105 Ingress Tool Transfer SeaDuke is capable of uploading and downloading files.4
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing SeaDuke has been packed with the UPX packer.4
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.003 Pass the Ticket Some SeaDuke samples have a module to use pass the ticket with Kerberos for authentication.2
enterprise T1078 Valid Accounts Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.2

Groups That Use This Software

ID Name References
G0016 APT29 16

References

Back to top