February 13, 2019
SNAKEMACKEREL Delivers SedUploader Malware
By: Matthew Brady and Kimberly Bucholz

iDefense analysts recently identified a macro-enabled Microsoft Corp. Word document that references themes taken from the Underwater Defence & Security 2019 event, which is scheduled to occur March 5-7, 2019, in Southampton, United Kingdom at the Ageas Hilton hotel. The document is used to drop a DLL file that is believed to be a version of SedUploader, a first-stage reconnaissance tool thought to be developed and used by SNAKEMACKEREL actors.

According to the event website, this is a three-day global event focused on how NATO members and affiliated nation states can respond to sea-based threats, including what role manned, unmanned and autonomous systems can be used effectively to conduct dangerous mission operations. The official conference agenda for 2019 appears to emphasize the need for NATO members and affiliate nation states to improve naval capabilities (e.g., fleets and submarines) to address increasing global instability.

The actors appear to have stolen content for the lure document directly from a registration web page that hosts the official conference agenda. Based on iDefense’s analysis, the lure document was used to drop a DLL file at two locations on the targeted system; the file is believed to be a version of SedUploader, a first-stage reconnaissance tool developed and used by the Russian cyber-espionage threat group SNAKEMACKEREL. The malware uses XOR encryption to obfuscate hardcoded artifacts, including a specific mutex.

The macro in the Word document drops two identical DLL files to two separate locations on the victim system. It executes one immediately and sets the other as the registry run key for persistence at reboot. iDefense has moderate confidence that one of the intended targets of this campaign was an unknown entity based in Macedonia. This observation is notable, as Macedonia is currently pending admission to NATO as that organization’s thirtieth member; this admission is expected to become official sometime in 2020. This activity aligns with prior SNAKEMACKEREL threat activity, with the group allegedly having targeted government officials in Montenegro back in 2017 prior to that country’s accession to NATO.1

Looking forward

iDefense analysts note that this event draws attendees from government, military and private sector entities (defense and aerospace, high tech, etc.) across the globe, including those located in the United States, Western and Eastern Europe, the Middle East and the Asia-Pacific region.

This alert is intended to provide early indication and warning (I&W) notice to public and private sector organizations that are either sponsoring or attending this global event, as it represents a unique opportunity for SNAKEMACKEREL actors to conduct targeted attacks against entities aligned with its collection requirements. iDefense analysts will continue to monitor for new activity related to this global event and will provide additional updates as necessary.



Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 442,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at


Popular Tags

    More blogs on this topic