Kaspersky Lab researchers have discovered that the old style Miniduke implants from 2013 are still around and are being used in active campaigns that target governments and other entities. In addition, Miniduke’s new platform – BotGenStudio – may be used not only by APT style attackers, but by law enforcement agencies and traditional criminals too.
Although the Miniduke APT actor stopped its campaign, or at least decreased its intensity, in the wake of the announcement made by Kaspersky Lab with its partner, CrySyS Lab, last year, in the beginning of 2014 they once again resumed attacks in full force in early 2014. This time around we have noticed changes in the way attackers act and tools they use.
The “new” Miniduke backdoor
After the 2013 exposure, the actor behind Miniduke started using another custom backdoor, capable of stealing various types of information. The malware spoofs popular applications which are designed to run in the background, including file information, icons and even file size.
The main “new” Miniduke backdoor (aka TinyBaron or CosmicDuke) is compiled using a customisable framework called BotGenStudio, which has flexibility to enable or disable components when the bot is constructed. The components can be divided into 3 groups:
1. Persistence – Miniduke/CosmicDuke is capable of starting via Windows Task Scheduler, a customised service binary that spawns a new process set in the special registry key or is launched when the user is away and screensaver is activated.
2. Reconnaissance – The malware is able to steal a variety of information, including files based on extensions and file name keywords, like *.exe; *.ndb; *.mp3; *.avi; *.rar; *.docx; *.url; *.xlsx; *.pptx; *psw*; *pass*; *login*; *admin*; *vpn; *.jpg; *.txt; *.lnk; *.dll; *.tmp., etc.
The backdoor has many other capabilities including: keylogger, general network information harvester, screen grabber, clipboard grabber; Microsoft Outlook, Windows Address Book stealer, password stealer for Skype, Google Chrome, Google Talk, Opera, TheBat!, Firefox, Thunderbird, Protected Storage secrets harvester, Certificate/private keys exporter, etc.
3. Exfiltration – The malware implements several network connectors to exfiltrate data, including uploading data via FTP and three various variants of HTTP communication mechanisms.
Storing exfiltrated data is another interesting feature of MiniDuke. When a file is uploaded to the C&C server it is split in small chunks (~3Kb), which are compressed, encrypted and placed in a container to be uploaded to the server. If the file is large enough it may be placed into several different containers that are uploaded independently. All these layers of additional processing guarantees that very few researchers will be able to get to the original data.
Each victim of MiniDuke is assigned a unique ID which allows the pushing of specific updates to an individual victim.
For self-protection, it uses a custom obfuscated loader which heavily consumes CPU resources before passing execution to the payload. Doing so, they prevented antimalware solutions from analysing the implant and detect malicious functionality via emulator. It also complicates analysis of the malware.
C&Cs – twofold purpose. During the analysis, Kaspersky Lab experts were able to obtain a copy of one of the CosmicDuke command and control servers. It appears it was used not only for communication between actors behind the CosmicDuke and infected PCs, but also for other operations by the group members including hacking into other servers on the Internet with the goal of collecting everything that can lead to potential targets. For this purpose, the C&C was equipped with range of publicly available hacking tools for searching for vulnerabilities in websites using different engines and compromising it.
Victims. Interestingly, while the old style Miniduke implants were used to target mostly government entities, the new style CosmicDuke implants have a different typology of victims. Other than governments, there are diplomatic organisations, energy sector, telecom operators, military contractors and individuals involved in the traffic and selling of illegal and controlled substances.
We have analysed both CosmicDuke and old style Miniduke servers. From the latter ones we were able to extract a list of victims and their corresponding countries, and so experts have found out that users of the old style Miniduke servers were interested in targets in Australia, Belgium, France, Germany, Hungary, Netherlands, Spain, Ukraine, the United States. Victims in at least three of these countries belong to the “government” category.
One of the analysed CosmicDuke servers had a long list of victims (139 unique IPs) starting from April 2012. In terms of geographic distribution and top 10 countries, victims belong to Georgia, Russia, US, Great Britain, Kazakhstan, India, Belarus, Cyprus, Ukraine, Lithuania. The attackers were also slightly interested in expanding their operations and scanned IP ranges and servers of Republic of Azerbaijan, Greece and Ukraine.
Commercial platform. The most unusual victims discovered were individuals which appeared to be involved in the traffic and reselling of controlled and illegal substances, such as steroids and hormones. These victims have been observed only in Russia.
“It’s a bit unexpected – normally, when we hear about APTs, we tend to think they are nation-state backed cyber espionage campaigns. But we see two explanations for this. One possibility is that malware platform BotGenStudio used in Miniduke is also available as a so-called “legal spyware” tool, similar to others, such as HackingTeam’s RCS, widely used by law enforcement. Another possibility is that it’s simply available in the underground and purchased by various competitors in the pharma business to spy on each other” – commented Vitaly Kamluk, Principal Security Researcher at the Global Research & Analysis Team, Kaspersky Lab.
Attribution and Artifacts. Although the attackers use English in several places indicating knowledge of this language, there are certain indicators – like strings in a block of memory appended to the malware component used for persistence – which make experts believe they are not native English speakers.
Kaspersky Lab experts were also able to indicate the activity of the Miniduke/CosmicDuke attackers on a Day-of-the-Week basis. It appears the attackers follow the Mon-Fri work week, however, they are not holding back from working the weekends from time to time. In terms of activity hours, the attackers appears to be working between 6am-7pm GMT. Most of the work is done between 6am and 4pm though.
Detection. Kaspersky Lab products detect CosmicDuke backdoor as Backdoor.Win32.CosmicDuke.gen and Backdoor.Win32.Generic.
For more information, read our blog at Securelist.com.