CosmicDuke will steal your login data and own your network

New white paper from F-Secure details CosmicDuke--a malware threat combining elements of two notorious malware variants.

All malware is bad, but some malware is more insidious than others. That seems to be the case with CosmicDuke. According to a new white paper from F-Secure, CosmicDuke meshes elements of two notorious malware threats--MiniDuke and Cosmu--to form a potent new attack.

MiniDuke is an APT (advanced persistent threat) Trojan that was uncovered in early 2013. It was used in targeted attacks against NATO and various European government agencies.

According to a blog post from F-Secure, researchers found a variant in April of this year that used some of the same code as Cosmu--a malware known for stealing sensitive information. The resulting threat is a combination of the loader from MiniDuke and the payload from Cosmu, creating an APT Trojan designed to steal sensitive login information that F-Secure dubbed CosmicDuke.

The white paper describes how CosmicDuke uses targeted files or emails in a phishing attack style to lure users into compromising a system. Once the target system is infected, CosmicDuke begins gathering sensitive information using a keylogger, clipboard stealer, screenshot grabber, and password stealing utilities for a variety of chat, email, and browsers. It can also steal cryptographic certificates and their associated private encryption keys.

The information collected by CosmicDuke is transmitted to remote servers, where attackers can use it to log in to servers or online accounts and establish a foothold that enables them to spread to other systems throughout the network and continue to download and execute additional malware threats.

It is not necessarily all that innovative, and F-Secure doesn't consider CosmicDuke to be groundbreaking as a malware threat. What is most concerning about CosmicDuke is that it seems to blur the line between state-sponsored cyber espionage, and run-of-the-mill crimeware.

According to Sean Sullivan, a security advisor for F-Secure, there are at least indications that it is a well-organized entity--possibly working under "contract" to gather sensitive information on behalf of a government customer.

"At the moment, crimeware which targets consumers is under attack by international law enforcement," Sullivan says. "It is quite possible that the displaced crimeware vendors found a new buyer of information."

F-Secure is not aware of any specific targets, but there is evidence that CosmicDuke is being used or is intended for use in targeted attacks. F-Secure says that the decoy document names and subject lines--like "Ukraine-Gas-Pipelines-Security-Report-March-2014.pdf"--used by CosmicDuke point to use against specific industries.

The main thing organizations need to be aware of when it comes to CosmicDuke is that the threat landscape continues to evolve. We have already seen a transition over the last decade or so from script-kiddies creating malware for the fun of it, to organized crime syndicates developing more professional attacks with a profit motive, to state-sponsored cyber espionage that uses much more sophisticated malware exploits. CosmicDuke may represent a new shift that merges these last two attacks in ways that represent a significant threat.

Sullivan stresses that it's important for organizations to determine security needs based on the threat landscape and dedicate the budget to meet those needs. Allowing cost to dictate security measures is a backwards approach and is simply bad management.

"You are a target," Sullivan says. "Keep calm and secure your stuff."

Join the CSO newsletter!

Error: Please check your email address.

Tags APTsecurityNATOATOf-secureadvanced persistent threatsmalware

More about APTF-SecureNATO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place