Even in the world of malware, the one constant is change.
According to researchers at Kaspersky Lab and F-Secure, the MiniDuke malware spotted last year targeting governments throughout Europe has been updated. The newest version, nicknamed ‘CosmicDuke’ by F-Secure, shares code with an even older piece of malware known as Cosmu whose roots go back to 2001.
“The people behind CosmicDuke and MiniDuke most likely share code and/or tools,” F-Secure Senior Researcher Timo Hirvonen told SecurityWeek. “It might even be the same actor behind both malware families. It is still unknown why they decided use an infostealer derived from Cosmu, and how they got access to Cosmu. Did they buy a builder if one exists? Do they have the source code? Did they recruit the guys who originally created Cosmu? We don’t know.”
According to F-Secure, the CosmicDuke samples can be divided into three distinct groups based on similarities between the command and control (C&C) servers they contact, their file characteristics and the decoy document used.
“The first group of samples (Group #1) is spread using 3 dropper files that display specific decoy documents,” F-Secure explained in a whitepaper on the malware. “The second sample group (Group #2) uses both exploit-loaded files and dropper files.”
The third group, F-Secure noted, does not use the droppers or exploits associated with the other two. All the samples in this group connected to an FTP server at IP 188.116.32.164 using the same username (“adair”) and password. This is the only server that the samples in group three with the original MiniDuke loader use, according to the paper.
The older versions of MiniDuke are still around and being used in attack campaigns as well, and use Twitter accounts containing a hardcoded command and control URL pointing to the C&C server.
“After the 2013 exposure, the actor behind MiniDuke appears to have switched to using another custom backdoor, capable of stealing various types of information,” Kaspersky Lab’s Global Research & Analysis Team (GReAT) noted in a blog post.
“The main ‘new’ MiniDuke backdoor (aka TinyBaron or CosmicDuke) is compiled using a customizable framework called ‘BotGenStudio’, which has flexibility to enable/disable components when the bot is constructed,” the Kaspersky Lab researchers explained.
The backdoor has a number of capabilities such as keylogging, screen grabbing and password theft.
“The malware implements several methods to exfiltrate information, including uploading data via FTP and three variants of HTTP-based communication mechanisms,” according to Kaspersky Lab. “A number of different HTTP connectors act as helpers, trying various methods in case one of them is restricted by local security policies or security software. These three methods are: Direct TCP connection and HTTP session via Winsock library; HTTP session via Urlmon.dll; (and) HTTP session via invisible instance of Internet Explorer as OLE object.”
One of the CosmicDuke servers analyzed by the Kaspersky Lab team had a list of victims going back to April 2012. The server had 265 unique identifiers assigned to victims from 139 unique IPs. Most of the victims were from the countries of Georgia, Russia and the United States.
“While the old style Miniduke implants were used to target mostly government victims, the new style CosmicDuke implants have a somehow different typology of victims,” according to Kaspersky Lab. “The most unusual is the targeting of individuals that appear to be involved in the traffic and reselling of controlled and illegal substances, such as steroids and hormones. These victims in the NITRO project have been observed only in Russia. One possibility is that ‘BotGenStudio’ is a malware platform also available as a so-called ‘legal spyware’ tool, similar to others, such as HackingTeam’s RCS, widely used by law enforcement agencies. Another possibility is that it’s simply available in the underground and purchased by various competitors in the pharmaceutical business to spy on each other.”
While he did not classify the malware as particular sophisticated, Hirvonen noted that it still manages to get the job done.
“Once we learn about the victims, we know how efficient CosmicDuke has been,” he said. “Why build something overly complex or sophisticated if you can get the job done with something rather straightforward? It keeps surprising me how simple yet effective some of the malware used in targeted attacks is.”
*This story was updated with a clarification about the server being used by certain samples of the malware.
