Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

7/2/2014
03:22 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CosmicDuke: Cosmu & MiniDuke Mash-Up

F-Secure believes that the combo malware might have connections to the perpetrators of the miniDuke attacks.

F-Secure has discovered a new bit of info-stealing malware built for targeted attacks against government agencies. Combining the payload of the old, faithful Cosmu and the loader of the miniDuke malware that made such a splash last winter, this mash-up has been dubbed CosmicDuke -- and F-Secure thinks there's a connection between the operators of the Duke brothers.

CosmicDuke lifts PKI certificates, keys, password hashes, and password/login combinations by using a keylogger, snapping screenshots, snatching data from the clipboard, and grabbing access credentials saved in browsers, instant messaging apps, and email clients.

There are a few reasons researchers believe there is a connection between the Dukes. As F-Secure explains in its report:

The parallel usage of the loader in the CosmicDuke and MiniDuke families is interesting. The oldest samples we have of this loader that loads Cosmu malware show the compilation date of the loader as March 24, 2011, which predates the oldest publicly documented MiniDuke sample (with a recorded loader compilation date of June 18, 2012). The earlier use of the loader with a Cosmu payload leads us to suspect the existence of a link between the author(s) of Cosmu and MiniDuke.

"We haven't seen any other malware sharing code with miniDuke," says F-Secure senior researcher Timo Hirvonen, who adds that no other malware family uses this loader. He believes that the people behind CosmicDuke and miniDuke are at least sharing either code or tools, and might even be the very same malicious actors.

CosmicDuke's attack targets and presumed infection vectors are also similar to miniDuke. They both infect victims through the use of malicious PDFs and executables disguised as innocent files.

MiniDuke, outed by Kaspersky in February 2013, was aimed at a small number of government agencies in 23 countries, mostly European. Decoys included documents that appeared to be about human rights seminars, Ukraine's foreign policy, and NATO membership plans.

CosmicDuke may also be aimed at government agencies, mostly in Eastern Europe. The filenames of the decoy documents included references to the Polish Institute of International Affairs, Ukraine gas pipelines, and "civilian crisis center status report." They used a variety of languages, including Russian and Turkish.

The IP addresses of the servers CosmicDuke is using are located in the US, the UK, Sweden, Luxembourg, Russia, Holland, Romania, Germany, Poland, Greece, and the Czech Republic.

None of F-Secure's customers have been infected yet, but Hirvonen believes that CosmicDuke is in use in the wild.

For more information and technical details, see F-Secure's full report.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
7/3/2014 | 9:18:17 AM
state sponsored hacking?
As explained by Timo, the circumstance is very worrying, the evidence suggests that behind the Miniduke and CosmicDuke there are the same bad actors, or that the two distinct groups have collaborated. It is a movie already seen, I believe that a state is silently operating to infiltrate European entities.

 
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26895
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
CVE-2020-26896
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.