← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Duke APT group's latest tools: cloud services and Linux support
WHITE APT 29 AlienVault 2015-07-22 Modified: 2017-07-24
44
IOCs
MEDIUM VOLUME
Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or "solutions" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.
clouddukedukeonedriveseadukecozydukeminidionistrojanf-secure
Indicators of Compromise (44)
All URL FileHash-SHA1 YARA FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
URL https://cognimuse.cs.ntua.gr/search.php 2015-07-22
URL http://www.recordsmanagementservices.com/eFax/incoming/150721/5442.ZIP 2015-07-22
URL http://files.counseling.org/eFax/incoming/150721/5442.ZIP 2015-07-22
URL http://flockfilmseries.com/eFax/incoming/5442.ZIP 2015-07-22
URL https://97.75.120.45/news/archive.php 2015-07-22
URL https://58.80.109.59/plugins/search.php 2015-07-22
URL https://portal.sbn.co.th/rss.php 2015-07-22
FileHash-SHA1 bfe26837da22f21451f0416aa9d241f98ff1c0f8 2015-07-22
FileHash-SHA1 52d44e936388b77a0afdb21b099cf83ed6cbaa6f 2015-07-22
FileHash-SHA1 cc15924d37e36060faa405e5fa8f6ca15a3cace2 2015-07-22
FileHash-SHA1 f54f4e46f5f933a96650ca5123a4c41e115a9f61 2015-07-22
FileHash-SHA1 317bde14307d8777d613280546f47dd0ce54f95b 2015-07-22
FileHash-SHA1 78fbdfa6ba2b1e3c8537be48d9efc0c47f417f3c 2015-07-22
FileHash-SHA1 c16529dbc2987be3ac628b9b413106e5749999ed 2015-07-22
FileHash-SHA1 9f5b46ee0591d3f942ccaa9c950a8bff94aa7a0f 2015-07-22
FileHash-SHA1 f97c5e8d018207b1d546501fe2036adfbf774cfd 2015-07-22
FileHash-SHA1 6a3c2ad9919ad09ef6cdffc80940286814a0aa2c 2015-07-22
FileHash-SHA1 04299c0b549d4a46154e0a754dda2bc9e43dff76 2015-07-22
FileHash-SHA1 ed0cf362c0a9de96ce49c841aa55997b4777b326 2015-07-22
FileHash-SHA1 dea6e89e36cf5a4a216e324983cc0b8f6c58eaa8 2015-07-22
FileHash-SHA1 4800d67ea326e6d037198abd3d95f4ed59449313 2015-07-22
FileHash-SHA1 28d29c702fdf3c16f27b33f3e32687dd82185e8b 2015-07-22
FileHash-SHA1 2f53bfcd2016d506674d0a05852318f9e8188ee1 2015-07-22
FileHash-SHA1 e33e6346da14931735e73f544949a57377c6b4a0 2015-07-22
FileHash-SHA1 476099ea132bf16fa96a5f618cb44f87446e3b02 2015-07-22
YARA 0a301a6448ff1a2af33b6b9aed7145d47cab172f 2017-07-24
YARA 0c6f5e93f51550d08546d1988a98b3ae69fbc379 2017-07-24
FileHash-SHA256 1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7 2017-07-24
FileHash-SHA256 51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57 2017-07-24
FileHash-SHA256 56531cc133e7a760b238aadc5b7a622cd11c835a3e6b78079d825d417fb02198 2017-07-24
FileHash-SHA256 56ac764b81eb216ebed5a5ad38e703805ba3e1ca7d63501ba60a1fb52c7ebb6e 2017-07-24
FileHash-SHA256 5d695ff02202808805da942e484caa7c1dc68e6d9c3d77dc383cfa0617e61e48 2017-07-24
FileHash-SHA256 88a40d5b679bccf9641009514b3d18b09e68b609ffaf414574a6eca6536e8b8f 2017-07-24
FileHash-SHA256 97d8725e39d263ed21856477ed09738755134b5c0d0b9ae86ebb1cdd4cdc18b7 2017-07-24
FileHash-SHA256 a713982d04d2048a575912a5fc37c93091619becd5b21e96f049890435940004 2017-07-24
FileHash-SHA256 ed7abf93963395ce9c9cba83a864acb4ed5b6e57fd9a6153f0248b8ccc4fdb46 2017-07-24
FileHash-SHA256 ee5eb9d57c3611e91a27bb1fc2d0aaa6bbfa6c69ab16e65e7123c7c49d46f145 2017-07-24
YARA 1cb3f2f549f653336273b4bce3403e8c541cf556 2017-07-24
YARA b670db96a4d4ac687063bbcebc089ca3a4045bc6 2017-07-24
YARA fd93a24a91e522d4aa3f1436a8400d5e6a5111f5 2017-07-24
YARA 0c4f4af0bb1fb309c83b98042d62676f14f2f9d1 2017-07-24
FileHash-SHA256 502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d 2017-07-24
FileHash-SHA256 97dd1ee3aca815eb655a5de9e9e8945e7ba57f458019be6e1b9acb5731fa6646 2017-07-24
FileHash-SHA256 c0675b84f5960e95962d299d4c41511bbf6f8f5f5585bdacd1ae567e904cb92f 2017-07-24
References (1)
↗ https://www.f-secure.com/weblog/archives/00002822.html