Seaduke, a new Trojan used by the advanced persistent threat (APT) attacker behind the “Duke” malware family, is going after governmental organizations, researchers said.
Detected as Trojan.Seaduke, there are similarities to CozyDuke, MiniDuke, OnionDuke and CosmicDuke, said researchers at Symantec.
These similarities led researchers to think the threats are the same, or at least they work together. Symantec says the attacker, which they said has Russian roots, has been targeting government and diplomatic organizations since 2010.
Seaduke ends up installed on systems through CozyDuke, which can end up instructed to download and execute the Trojan from a compromised website.
Symantec researchers said CozyDuke, which has seen action in attacks against the U.S. State Department and the White House, started deploying the Seaduke payload in October 2014, months after the threat group launched its current campaign in March 2014.
Researchers pointed out Seaduke only went to certain systems infected with CozyDuke, which could indicate the attacker is saving Seaduke for important targets. Symantec said the malware has been in attacks against “major, government-level targets.”
While it’s possible that Seaduke is reserved for specific targets, it’s also possible the APT is now a known entity and it has to retool, Symantec researchers said.
Once deployed on a system, Seaduke allows the attackers to retrieve system information, download and upload files, and delete the malware.