We therefore suspect, that the Duke group is also using the same SeaDuke Python code to target Linux victims. However, the Python code itself has been designed to work on both Windows and Linux. This Python code is usually then compiled into Windows executables using py2exe or pyinstaller. While older malware by the Duke group has always been written with a combination of the C and C++ programming languages as well as assembly language, SeaDuke is peculiarly written in Python with multiple layers of obfuscation. Last week, both Symantec and Palo Alto Networks published research on SeaDuke, a newer addition to the arsenal of trojans being used by the Duke group. Linux support added with the cross-platform SeaDuke malware Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. These components include a unique loader, downloader, and not one but two different trojan components. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or "solutions" as the Duke group apparently calls them.
And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Duke APT group's latest tools: cloud services and Linux support