CosmicDuke malware threat uncovered by F-Secure

White hats uncover mysterious CosmicDuke mongrel family of malware

A new family of malware that shares code with both the notorious MiniDuke and ancient Cosmu attack tools has been discovered by researchers at F-Secure.

The researchers reported the mongrel CosmicDuke malware in the company’s CosmicDuke: Cosmu with a twist of MiniDuke threat report. They discovered CosmicDuke while examining strains of the MiniDuke attack tool used in 2013 strikes on Nato and a number of EU government networks.

“While investigating MiniDuke loaders in April 2014, we were surprised to notice that the malicious executable being decompressed and loaded into memory was very similar to the Cosmu family of information-stealers, which we saw as long ago as 2001,” read the threat report.

The research indicates Cosmu may actually have been a precursor malware that influenced the development of MiniDuke. MiniDuke is a notorious type of malware uncovered by Kaspersky Labs and Hungarian researchers at Crysys Lab in February 2013.

The researchers said, like MiniDuke, the CosmicDuke samples it analysed are disguised as malicious PDF files that when launched infect a machine with malware.

“CosmicDuke infections start by tricking victims into opening either a PDF file that contains an exploit or a Windows executable whose filename is manipulated to make it look like a document or image file. Once the victim opens the file, the malware gains persistence on the system and starts collecting information,” read the report.

The malware grants hackers a variety of powers and installs a number of attack tools including a keylogger, clipboard stealer, screenshotter, and password stealers for a variety of popular chat, email and web browsing programs.

F-Secure security analyst Sean Sullivan told V3 the firm has so far only caught decoy document samples of CosmicDuke and is yet to see it used in a real-world attack, but added that there is evidence to suggest it is being used by state-sponsored groups.

“We don’t have any confirmation of targets. But based on the decoy document names and subjects it is being used in targeted attacks,” he said.

“It appears to be state sponsored. Or else it is an organised actor – perhaps a contractor who is gathering information to sell to a government. At the moment, crimeware which targets consumers is under attack by international law enforcement so it is quite possible that the displaced crimeware vendors found a new buyer of information.”

Sullivan cited CosmicDuke as proof firms must investment in cyber security, warning them: “You are a target. Keep calm and secure your stuff. For IT managers: ask for the security budget you need, and fight for it. There is more evidence than ever that letting cost dictate security is bad management.”

CosmicDuke is one of many advanced threats uncovered recently. Symantec reported on Wednesday that the infamous Dragonfly hackers have returned and are targeting a number of Western critical infrastructure companies with cyber attacks capable of physically sabotaging their systems.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here


Leave a Reply

Your email address will not be published.