F-Secure has discovered a new bit of info-stealing malware built for targeted attacks against government agencies. Combining the payload of the old, faithful Cosmu and the loader of the miniDuke malware that made such a splash last winter, this mash-up has been dubbed CosmicDuke -- and F-Secure thinks there's a connection between the operators of the Duke brothers.
CosmicDuke lifts PKI certificates, keys, password hashes, and password/login combinations by using a keylogger, snapping screenshots, snatching data from the clipboard, and grabbing access credentials saved in browsers, instant messaging apps, and email clients.
There are a few reasons researchers believe there is a connection between the Dukes. As F-Secure explains in its report:
The parallel usage of the loader in the CosmicDuke and MiniDuke families is interesting. The oldest samples we have of this loader that loads Cosmu malware show the compilation date of the loader as March 24, 2011, which predates the oldest publicly documented MiniDuke sample (with a recorded loader compilation date of June 18, 2012). The earlier use of the loader with a Cosmu payload leads us to suspect the existence of a link between the author(s) of Cosmu and MiniDuke.
"We haven't seen any other malware sharing code with miniDuke," says F-Secure senior researcher Timo Hirvonen, who adds that no other malware family uses this loader. He believes that the people behind CosmicDuke and miniDuke are at least sharing either code or tools, and might even be the very same malicious actors.
CosmicDuke's attack targets and presumed infection vectors are also similar to miniDuke. They both infect victims through the use of malicious PDFs and executables disguised as innocent files.
MiniDuke, outed by Kaspersky in February 2013, was aimed at a small number of government agencies in 23 countries, mostly European. Decoys included documents that appeared to be about human rights seminars, Ukraine's foreign policy, and NATO membership plans.
CosmicDuke may also be aimed at government agencies, mostly in Eastern Europe. The filenames of the decoy documents included references to the Polish Institute of International Affairs, Ukraine gas pipelines, and "civilian crisis center status report." They used a variety of languages, including Russian and Turkish.
The IP addresses of the servers CosmicDuke is using are located in the US, the UK, Sweden, Luxembourg, Russia, Holland, Romania, Germany, Poland, Greece, and the Czech Republic.
None of F-Secure's customers have been infected yet, but Hirvonen believes that CosmicDuke is in use in the wild.
For more information and technical details, see F-Secure's full report.