Dangerous Duke APT Trojan Uses OneDrive

Posted on by Security Zap

[URGENT] Duke APT Gets Major Update: Cloud and Linux Support

In recent weeks Duke APT group’s toolkit, SeaDuke and CloudDuke  trojans have received major updates. SeaDuke is a simple trojan written in Python and it is a first cross-platform malware, from Duke APT group, supporting both Linux and Windows. Differently from SeaDuke, CloudDuke is an advanced toolkit that comes with malware modules. There are many of modules in CloudDuke from unique loaders to two different trojan components. In addition as you might have already guessed it uses cloud services and especially Microsoft’s OneDrive, for command and control and stolen data filtration. According to F-Secure some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.

Linux Support

Symantec and Palo Alto Networks published a research paper about SeaDuke, a newer addition to the arsenal of trojans being used by the Duke group.

F-Secure has published an interesting research article on there blog where they provided a definition of difference between new and old Duke trojans:

While older malware by the Duke group has always been written with a combination of the C and C++ programming languages as well as assembly language, SeaDuke is peculiarly written in Python with multiple layers of obfuscation. This Python code is usually then compiled into Windows executables using py2exe or pyinstaller. However, the Python code itself has been designed to work on both Windows and Linux. We therefore suspect, that the Duke group is also using the same SeaDuke Python code to target Linux victims. This is the first time we have seen the Duke group employ malware to target Linux platforms.

Cloud Support

Last week a Duke has also published cloud updates for its very own trojan horse. Based on PDB strings found in the samples, the malware authors refer to the CloudDuke components as “solutions” with names such as “DropperSolution”, “BastionSolution” and “OneDriveSolution”. A list of observed PDB strings :

• C:\DropperSolution\Droppers\Projects\Drop_v2\Release\Drop_v2.pdb
• C:\BastionSolution\Shells\Projects\miniDionis4\miniDionis\obj\Release\miniDionis.pdb
• C:\BastionSolution\Shells\Projects\miniDionis2\miniDionis\obj\Release\miniDionis.pdb

MiniDionis and CloudLook are both components of a larger malware toolset called CloudDuke.

Last week, we also saw Palo Alto Networks and Kaspersky Labs publish research on malware components they respectively called MiniDionis and CloudLook. MiniDionis and CloudLook are both components of a larger malware toolset we call CloudDuke. This toolset consists of malware components that provide varying functionality while partially relying on a shared code framework and always using the same loader. Based on PDB strings found in the samples, the malware authors refer to the CloudDuke components as “solutions” with names such as “DropperSolution”, “BastionSolution” and “OneDriveSolution”. A list of PDB strings we have observed is below:

C:\DropperSolution\Droppers\Projects\Drop_v2\Release\Drop_v2.pdb
C:\BastionSolution\Shells\Projects\miniDionis4\miniDionis\obj\Release\miniDionis.pdb
C:\BastionSolution\Shells\Projects\miniDionis2\miniDionis\obj\Release\miniDionis.pdb
C:\OneDriveSolution\Shells\Projects\OneDrive2\OneDrive\obj\x64\Release\OneDrive.pdb

Similarity with CozyDuke

CloudDuke has spread using spear-phishing email with targets including US DoD. Emails contain links to comrpomised websites that host CloudDuke executables archived in a zip file. After execution two files are added to victim’s hard drive. One being a decoy in forms of PDF or MP3 file and second one a CloudDuke loader embedding in DropperSolution. Victim sees a decoy file while in the background OneDriveSolution or BastionSolution is being downloaded.

F-secure also speaks about resemblance to CozyDuke:

Interestingly, some of the other CloudDuke spear-phishing campaigns we have observed this July have born a striking resemblance to CozyDuke spear-phishing campaigns seen almost exactly a year ago, in the beginning of July 2014. In both spear-phishing campaigns, the decoy document has been the exact same PDF file, a “US letter fax test page” (28d29c702fdf3c16f27b33f3e32687dd82185e8b). Similarly, the URLs hosting the malicious files have, in both campaigns, purported to be related to eFaxes. It is also interesting to note, that in the case of the CozyDuke-inspired CloudDuke spear-phishing campaign, the downloading and execution of the malicious archive linked to in the emails has not resulted in the execution of the CloudDuke downloader but in the execution of the “BastionSolution” component thereby skipping one step from the process described for the other CloudDuke spear-phishing campaigns.

It is clear that such advanced trojans are appearing more and more frequently, while security researchers are trying to adjust to the pace.

We will as always update you about CloudDuke and other major events in security world.

Source F-Secure

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.