“It’s a bit unexpected – normally, when we hear about APTs, we tend to think they are nation-state backed cyber espionage campaigns,” commented Vitaly Kamluk, principal security researcher at the Global Research and Analysis Team, Kaspersky Lab, in a press release. “But we see two explanations for this. One possibility is that malware platform BotGenStudio used in Miniduke is also available as a so-called “legal spyware” tool, similar to others, such as HackingTeam’s RCS, widely used by law enforcement. Another possibility is that it’s simply available in the underground and purchased by various competitors in the pharma business to spy on each other.”
After Kaspersky Lab partnered with CrySyS Lab last year, the creators of Miniduke once again resumed attacks using different tools and methods in early 2014.
After the 2013 attacks, the actor began using another backdoor that is capable of stealing information. The malware fakes popular applications that run in the background.
The “new” Miniduke backdoor (aka TinyBaron or CosmicDuke) is compiled using BotGenStudio, which is flexible enough to enable or disable components. Harvesting network information and protected storage secrets, grabbing information from screens and clipboards, stealing passwords from a number of applications such as Skype, Google Chrome and Firefox, and exporting certificate and private keys are some of the other backdoor capabilities.
There are three groups of components: persistence, reconnaissance and exfiltration. Through persistence, Miniduke/CosmicDuke can start via Windows Task Scheduler, a customized service binary that spawns a new process set when the user is away and screensaver is activated. The reconnaissance malware can steal information such as files with a number of extensions.
Miniduke implements several network connectors to exfiltrate data, including uploading data via FTP and HTTP communication mechanisms. Storing exfiltrated data is another feature of MiniDuke. Each of its victim is assigned a unique ID which allows specific updates to an individual victim. As self-protection, it uses an obfuscated loader which consumes heavy CPU resources. Doing so, it prevents antimalware solutions which analyze and detect malicious functionality, complicating the malware analysis.
During the analysis, Kaspersky Lab experts obtained a copy of one of the CosmicDuke servers. It appears it was used not only for communication between CosmicDuke actors and infected PCs, but also for hacking into other servers on the Internet to collect everything that can lead to potential targets.
While the old style Miniduke implants targeted mostly government entities, the new style CosmicDuke implants targeted victims other than governments, such as the energy sector, telecom operators, military contractors and individuals involved in the traffic and selling of illegal and controlled substances.
From the CosmicDuke servers, experts extracted a list of victims and their corresponding countries and found out that users of the old style MiniDuke servers were interested in targets in Australia, Belgium, France, Germany, Hungary, Netherlands, Spain, Ukraine and the United States.
One of the analyzed CosmicDuke servers had a long list of victims starting from April 2012. Geographically, victims belong to Georgia, Russia, US, UK, Kazakhstan, India, Belarus, Cyprus, Ukraine, Lithuania. The attackers also operated and scanned IP ranges and servers of Republic of Azerbaijan, Greece and Ukraine. Unusual victims discovered were individuals which appeared to be involved in the traffic of controlled and illegal substances, and were observed only in Russia.
Although the attackers use English indicating knowledge of this language, indicators like strings in a memory block appended to the malware used for persistence mark them as non-native English speakers.
Kaspersky Lab experts indicate the Miniduke/CosmicDuke attackers’ activity on a day-of-the-week basis, like the Mon-Fri work week. However, they work on weekends from time to time. It appears that their hours of activity are between 6 AM and 7 PM GMT.
Kaspersky Lab products detect CosmicDuke backdoor as Backdoor.Win32.CosmicDuke.gen and Backdoor.Win32.Generic.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…