SeaDuke

Description

(F-Secure) SeaDuke is a simple backdoor that focuses on executing commands retrieved from its C&C server, such as uploading and downloading files, executing system commands and evaluating additional Python code. SeaDuke is made interesting by the fact that it is written in Python and designed to be cross-platform so that it works on both Windows and Linux.

The only known infection vector for SeaDuke is via an existing CozyDuke infection, wherein CozyDuke downloads and executes the SeaDuke toolset.

Like HammerDuke, SeaDuke appears to be used by the Dukes group primarily as a secondary backdoor left on CozyDuke victims after that toolset has completed the initial infection and stolen any readily available information from them.

Names

Name
SeaDuke
SeaDaddy
SeaDesk
SeaDask

Category

Malware

Type

• Backdoor
• Exfiltration

Information

• https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf
• https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
• https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

Mitre Attack

• https://attack.mitre.org/software/S0053/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:seaduke

Other Information

Uuid

8fe4f869-e5d7-4844-ab0b-57d67fd38000

Last Card Change

2022-12-30