Dormant Miniduke APT campaign returns with better malware

The Miniduke advanced persistent threat (APT) campaign that has been dormant for more than a year is back with more data-stealing tools and better defenses against prying security researchers.

[The processes and tools behind a true APT campaign: Overview]

Miniduke went nearly dark after February 2013, which is when Kaspersky Lab and CrySys Lab first publicized the campaign targeting mostly government organizations in Europe.

Oddly, while still going after the same groups, the attackers behind the campaign have added spying on online traffickers in illegal substances, such as hormones and steroids.

The new Miniduke uses a custom backdoor that combines the code of the original malware with that of the Cosmu family of information-stealers, which has been around at least since 2001.

Dubbed CosmicDuke, the new malware uses the MiniDuke-derived loader and the Cosmu-derived payload. Anti-virus vendor F-Secure was the first to discover and name CosmicDuke.

The backdoor is compiled using a customizable framework called BotGenStudio, which has the flexibility to enable or disable components when the compromised PC is turned into a bot.

Each infected system is assigned a unique identifier, making it possible for the attackers to push updates specific to an individual victim, Kaspersky said in its SecureList blog.

The malware is designed to steal a variety of files based on extensions and file name keywords. The backdoor has about 20 capabilities that include stealing Skype, Google Chrome, Google Talk, Opera, Firefox and Thunderbird passwords.

CosmicDuke can also take screen images every five minutes, grab content from the clipboard every 30 seconds and export certificates and private keys.

The malware uses an unusual method of storing stolen data. It breaks up a file into small, 3 KB chunks that are compressed, encrypted and placed in a container for uploading to a command and control server, Kaspersky said.

If the file is large enough, it can be broken up into several hundred containers that are uploaded independently. The data pieces are likely parsed, decrypted, unpacked and reassembled on the attackers' side.

"Creating such a complicated storage might be an overhead; however, all those layers of additional processing guarantees that very few researchers will get to the original data while offering an increased reliability against network errors," Kaspersky said.

Systems infected with CosmicDuke and the older Miniduke malware, which the attackers still used, were in government, the energy sector, the military and the defense industry.

[Why you need to embrace the evolution of APT]

Also affected were individuals involved in the trafficking of illegal and controlled substances. These victims were only in Russia.

Countries with victims in the government category included Australia, Belgium, France, Germany, Hungary, Netherlands, Spain, Ukraine and the United States.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsdata breachMiniDukeAPT attackf-securesoftwareadvanced persistent threatsbotnet researchdata protectionmalwarekaspersky labsecurity

More about APTF-SecureGoogleKasperskyKasperskySkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place