Vulnerabilities / Threats // Advanced Threats
7/2/2014
03:22 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CosmicDuke: Cosmu & MiniDuke Mash-Up

F-Secure believes that the combo malware might have connections to the perpetrators of the miniDuke attacks.

F-Secure has discovered a new bit of info-stealing malware built for targeted attacks against government agencies. Combining the payload of the old, faithful Cosmu and the loader of the miniDuke malware that made such a splash last winter, this mash-up has been dubbed CosmicDuke -- and F-Secure thinks there's a connection between the operators of the Duke brothers.

CosmicDuke lifts PKI certificates, keys, password hashes, and password/login combinations by using a keylogger, snapping screenshots, snatching data from the clipboard, and grabbing access credentials saved in browsers, instant messaging apps, and email clients.

There are a few reasons researchers believe there is a connection between the Dukes. As F-Secure explains in its report:

The parallel usage of the loader in the CosmicDuke and MiniDuke families is interesting. The oldest samples we have of this loader that loads Cosmu malware show the compilation date of the loader as March 24, 2011, which predates the oldest publicly documented MiniDuke sample (with a recorded loader compilation date of June 18, 2012). The earlier use of the loader with a Cosmu payload leads us to suspect the existence of a link between the author(s) of Cosmu and MiniDuke.

"We haven't seen any other malware sharing code with miniDuke," says F-Secure senior researcher Timo Hirvonen, who adds that no other malware family uses this loader. He believes that the people behind CosmicDuke and miniDuke are at least sharing either code or tools, and might even be the very same malicious actors.

CosmicDuke's attack targets and presumed infection vectors are also similar to miniDuke. They both infect victims through the use of malicious PDFs and executables disguised as innocent files.

MiniDuke, outed by Kaspersky in February 2013, was aimed at a small number of government agencies in 23 countries, mostly European. Decoys included documents that appeared to be about human rights seminars, Ukraine's foreign policy, and NATO membership plans.

CosmicDuke may also be aimed at government agencies, mostly in Eastern Europe. The filenames of the decoy documents included references to the Polish Institute of International Affairs, Ukraine gas pipelines, and "civilian crisis center status report." They used a variety of languages, including Russian and Turkish.

The IP addresses of the servers CosmicDuke is using are located in the US, the UK, Sweden, Luxembourg, Russia, Holland, Romania, Germany, Poland, Greece, and the Czech Republic.

None of F-Secure's customers have been infected yet, but Hirvonen believes that CosmicDuke is in use in the wild.

For more information and technical details, see F-Secure's full report.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/3/2014 | 9:18:17 AM
state sponsored hacking?
As explained by Timo, the circumstance is very worrying, the evidence suggests that behind the Miniduke and CosmicDuke there are the same bad actors, or that the two distinct groups have collaborated. It is a movie already seen, I believe that a state is silently operating to infiltrate European entities.

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.