CosmicDuke: Cosmu & MiniDuke Mash-Up

  /     /     /  
Publicated : 22/11/2024   Category : security


CosmicDuke: Cosmu & MiniDuke Mash-Up


F-Secure believes that the combo malware might have connections to the perpetrators of the miniDuke attacks.



F-Secure has discovered a new bit of info-stealing malware built for targeted attacks against government agencies. Combining the payload of the old, faithful Cosmu and the loader of the
miniDuke
malware that made such a splash last winter, this mash-up has been dubbed
CosmicDuke
-- and F-Secure thinks theres a connection between the operators of the Duke brothers.
CosmicDuke lifts PKI certificates, keys, password hashes, and password/login combinations by using a keylogger, snapping screenshots, snatching data from the clipboard, and grabbing access credentials saved in browsers, instant messaging apps, and email clients.
There are a few reasons researchers believe there is a connection between the Dukes. As F-Secure explains in its report:
The parallel usage of the loader in the CosmicDuke and MiniDuke families is interesting. The oldest samples we have of this loader that loads Cosmu malware show the compilation date of the loader as March 24, 2011, which predates the oldest publicly documented MiniDuke sample (with a recorded loader compilation date of June 18, 2012). The earlier use of the loader with a Cosmu payload leads us to suspect the existence of a link between the author(s) of Cosmu and MiniDuke.
We havent seen any other malware sharing code with miniDuke, says F-Secure senior researcher Timo Hirvonen, who adds that no other malware family uses this loader. He believes that the people behind CosmicDuke and miniDuke are at least sharing either code or tools, and might even be the very same malicious actors.
CosmicDukes attack targets and presumed infection vectors are also similar to miniDuke. They both infect victims through the use of malicious PDFs and executables disguised as innocent files.
MiniDuke, outed by Kaspersky in February 2013, was aimed at a small number of government agencies in 23 countries, mostly European. Decoys included documents that appeared to be about human rights seminars, Ukraines foreign policy, and NATO membership plans.
CosmicDuke may also be aimed at government agencies, mostly in Eastern Europe. The filenames of the decoy documents included references to the Polish Institute of International Affairs, Ukraine gas pipelines, and civilian crisis center status report. They used a variety of languages, including Russian and Turkish.
The IP addresses of the servers CosmicDuke is using are located in the US, the UK, Sweden, Luxembourg, Russia, Holland, Romania, Germany, Poland, Greece, and the Czech Republic.
None of F-Secures customers have been infected yet, but Hirvonen believes that CosmicDuke is in use in the wild.
For more information and technical details, see
F-Secures full report
.
 

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CosmicDuke: Cosmu & MiniDuke Mash-Up