CosmicDuke Malware (the ‘new’ MiniDuke)
What is it?
Discovered in 2014, CosmicDuke uses the old style Miniduke implants from 2013 that are still around and are being used in active campaigns that target governments and other entities. After the 2013 exposure, the actor behind Miniduke started using another custom backdoor. The main “new” Miniduke backdoor (aka TinyBaron or CosmicDuke) is capable of stealing various types of information.
Although the Miniduke APT actor stopped its campaign, or at least decreased its intensity, in the beginning of 2014 they once again resumed attacks in full force in early 2014. This time around we have noticed changes in the way attackers act and tools they use.
The main “new” Miniduke backdoor (aka TinyBaron or CosmicDuke) is compiled using a customizable framework called BotGenStudio, which has flexibility to enable or disable components when the bot is constructed.
The components can be divided into 3 groups:
- Persistence – Miniduke/CosmicDuke is capable of starting via Windows Task Scheduler
- Reconnaissance – The malware is able to steal a variety of information, including files based on extensions and file name keywords, like *.exe; *.ndb; *.mp3; *.avi; *.rar; *.docx; *.url; *.xlsx; *.pptx; *jpg; *.txt; *.lnk; *.dll; *.tmp., etc.
- Exfiltration - The malware implements several network connectors to exfiltrate data, including uploading data via FTP and three various variants of HTTP communication mechanisms.
How do I know I am infected?
Kaspersky Lab products detect CosmicDuke backdoor as Backdoor.Win32.CosmicDuke.gen and Backdoor.Win32.Generic. If you already have a Kaspersky product, the CosmicDuke malware should have already been detected. If you do not have a Kaspersky product already installed, you will need to download and install any of the Kaspersky antivirus products and run the software.