ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool CloudDuke

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: CloudDuke

NamesCloudDuke
MiniDionis
CloudLook
CategoryMalware
TypeBackdoor, Loader, Downloader
Description(F-Secure) In the beginning of July 2015, the Dukes embarked on yet another large-scale phishing campaign. The malware toolset used for this campaign was the previously unseen CloudDuke and we believe that the July campaign marks the first time that this toolset was deployed by the Dukes, other than possible small-scale testing.

The CloudDuke toolset consists of at least a loader, a downloader, and two backdoor variants. Both backdoors (internally referred to by their authors as “BastionSolution” and “OneDriveSolution”) essentially allow the operator to remotely execute commands on the compromised machine. The way in which each backdoor does so however is significantly different. While the BastionSolution variant simply retrieves commands from a hard-coded C&C server controlled by the Dukes, the OneDriveSolution utilizes Microsoft’s OneDrive cloud storage service for communicating with its masters, making it significantly harder for defenders to notice the traffic and block the communication channel. What is most significant about the July 2015 CloudDuke campaign is the timeline. The campaign appeared to consist of two distinct waves of spear-phishing, one during the first days of July and the other starting from the 20th of the month. Details of the first wave, including a thorough technical analysis of CloudDuke, was published by Palo Alto Networks on 14th July. This was followed by additional details from Kaspersky in a blog post published on 16th July.
Information<https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf>
MITRE ATT&CK<https://attack.mitre.org/software/S0054/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:CloudDuke>

Last change to this tool card: 23 April 2020

Download this tool card in JSON format

All groups using tool CloudDuke

ChangedNameCountryObserved

APT groups

XAPT 29, Cozy Bear, The DukesRussia2008-2020X
XTurla, Waterbug, Venomous BearRussia1996-Feb 2021 HOT 

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key