All malware is bad, but some malware is more insidious than others. That seems to be the case with CosmicDuke. According to a new white paper from F-Secure, CosmicDuke meshes elements of two notorious malware threats—MiniDuke and Cosmu—to form a potent new attack.
MiniDuke is an APT (advanced persistent threat) Trojan that was uncovered in early 2013. It was used in targeted attacks against NATO and various European government agencies.
According to a blog post from F-Secure, researchers found a variant in April of this year that used some of the same code as Cosmu—a malware known for stealing sensitive information. The resulting threat is a combination of the loader from MiniDuke and the payload from Cosmu, creating an APT Trojan designed to steal sensitive login information that F-Secure dubbed CosmicDuke.
The white paper describes how CosmicDuke uses targeted files or emails in a phishing attack style to lure users into compromising a system. Once the target system is infected, CosmicDuke begins gathering sensitive information using a keylogger, clipboard stealer, screenshot grabber, and password stealing utilities for a variety of chat, email, and browsers. It can also steal cryptographic certificates and their associated private encryption keys.
The information collected by CosmicDuke is transmitted to remote servers, where attackers can use it to log in to servers or online accounts and establish a foothold that enables them to spread to other systems throughout the network and continue to download and execute additional malware threats.
It is not necessarily all that innovative, and F-Secure doesn’t consider CosmicDuke to be groundbreaking as a malware threat. What is most concerning about CosmicDuke is that it seems to blur the line between state-sponsored cyber espionage, and run-of-the-mill crimeware.
According to Sean Sullivan, a security advisor for F-Secure, there are at least indications that it is a well-organized entity—possibly working under “contract” to gather sensitive information on behalf of a government customer.
“At the moment, crimeware which targets consumers is under attack by international law enforcement,” Sullivan says. “It is quite possible that the displaced crimeware vendors found a new buyer of information.”
F-Secure is not aware of any specific targets, but there is evidence that CosmicDuke is being used or is intended for use in targeted attacks. F-Secure says that the decoy document names and subject lines—like “Ukraine-Gas-Pipelines-Security-Report-March-2014.pdf”—used by CosmicDuke point to use against specific industries.
The main thing organizations need to be aware of when it comes to CosmicDuke is that the threat landscape continues to evolve. We have already seen a transition over the last decade or so from script-kiddies creating malware for the fun of it, to organized crime syndicates developing more professional attacks with a profit motive, to state-sponsored cyber espionage that uses much more sophisticated malware exploits. CosmicDuke may represent a new shift that merges these last two attacks in ways that represent a significant threat.
Sullivan stresses that it’s important for organizations to determine security needs based on the threat landscape and dedicate the budget to meet those needs. Allowing cost to dictate security measures is a backwards approach and is simply bad management.
“You are a target," Sullivan says. "Keep calm and secure your stuff.”