Vulnerabilities / Threats // Advanced Threats
7/2/2014
03:22 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CosmicDuke: Cosmu & MiniDuke Mash-Up

F-Secure believes that the combo malware might have connections to the perpetrators of the miniDuke attacks.

F-Secure has discovered a new bit of info-stealing malware built for targeted attacks against government agencies. Combining the payload of the old, faithful Cosmu and the loader of the miniDuke malware that made such a splash last winter, this mash-up has been dubbed CosmicDuke -- and F-Secure thinks there's a connection between the operators of the Duke brothers.

CosmicDuke lifts PKI certificates, keys, password hashes, and password/login combinations by using a keylogger, snapping screenshots, snatching data from the clipboard, and grabbing access credentials saved in browsers, instant messaging apps, and email clients.

There are a few reasons researchers believe there is a connection between the Dukes. As F-Secure explains in its report:

The parallel usage of the loader in the CosmicDuke and MiniDuke families is interesting. The oldest samples we have of this loader that loads Cosmu malware show the compilation date of the loader as March 24, 2011, which predates the oldest publicly documented MiniDuke sample (with a recorded loader compilation date of June 18, 2012). The earlier use of the loader with a Cosmu payload leads us to suspect the existence of a link between the author(s) of Cosmu and MiniDuke.

"We haven't seen any other malware sharing code with miniDuke," says F-Secure senior researcher Timo Hirvonen, who adds that no other malware family uses this loader. He believes that the people behind CosmicDuke and miniDuke are at least sharing either code or tools, and might even be the very same malicious actors.

CosmicDuke's attack targets and presumed infection vectors are also similar to miniDuke. They both infect victims through the use of malicious PDFs and executables disguised as innocent files.

MiniDuke, outed by Kaspersky in February 2013, was aimed at a small number of government agencies in 23 countries, mostly European. Decoys included documents that appeared to be about human rights seminars, Ukraine's foreign policy, and NATO membership plans.

CosmicDuke may also be aimed at government agencies, mostly in Eastern Europe. The filenames of the decoy documents included references to the Polish Institute of International Affairs, Ukraine gas pipelines, and "civilian crisis center status report." They used a variety of languages, including Russian and Turkish.

The IP addresses of the servers CosmicDuke is using are located in the US, the UK, Sweden, Luxembourg, Russia, Holland, Romania, Germany, Poland, Greece, and the Czech Republic.

None of F-Secure's customers have been infected yet, but Hirvonen believes that CosmicDuke is in use in the wild.

For more information and technical details, see F-Secure's full report.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/3/2014 | 9:18:17 AM
state sponsored hacking?
As explained by Timo, the circumstance is very worrying, the evidence suggests that behind the Miniduke and CosmicDuke there are the same bad actors, or that the two distinct groups have collaborated. It is a movie already seen, I believe that a state is silently operating to infiltrate European entities.

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.