The Duke APT group continues to change up its tactics with the new “SeaDuke” and “CloudDuke” malware, as F-Secure refers to them.
SeaDuke, the firm wrote in a post, differentiates itself from prior iterations by being written in Python and having cross-platform functionality across Windows and Linux. On the other hand, CloudDuke is an “entire toolset” of malware components, including a unique loader, downloader, and two different trojan components.
CloudDuke also uses cloud storage services for both command and control and the exfiltration of stolen data. F-Secure cited Microsoft's OneDrive as the campaign's preferred cloud solution. This likely helps evade detection because a popular cloud storage service wouldn't raise red flags, the post stated.
The researchers tied CloudDuke to the group's prior CozyDuke campaign because of their similar spearphishing emails. CozyDuke is believed to have targeted the White House and State Department this past year.