Security researchers have spotted new malware in the wild combining code from the MiniDuke APT Trojan and information grabbing Cosmu, designed to steal data from chat, email and web browser programs.
CosmicDuke has two methods of infecting targeted networks, according to a new report from Finnish-based F-Secure.
One is via a malicious Flash object embedded into a PDF file which exploits a known vulnerability in Adobe products when launched.
The other involves social engineering techniques to tricking a user into clicking onto an innocent-looking document or image hiding the malware executable.
Once inside, CosmicDuke’s main task is to steal information, according to F-Secure.
It has a variety of ways of doing this, including keylogging; screenshot grabs; and stealing files and clipboard data. It also works to grab PKI certs and private key information as well as WLAN passwords, Windows password hashes, and log-in credentials for IM and email clients and browsers.
After it is collected, the information in question is sent via FTP to a remote server.
As well as stealing information from the victim’s machine, CosmicDuke has also been designed to download and execute other malware, according to F-Secure senior researcher Timo Hirvonen.
“The filenames and content used in CosmicDuke's attack files to lure victims contain references to the countries of Ukraine, Poland, Turkey, and Russia, either generally in use of language or included detail, or in allusions to events or institutions,” he explained in a blog post.
“The filenames and content chosen seem to be tailored to their target’s interests, though we have no further information on the identity or location of these victims yet.”
The backdoor MiniDuke has actually been around for quite some time – having been first identified in February 2013 when it was used in a series of apparently politically motivated attacks against NATO and various European government agencies, he added.
However, on further analysis in April this year, Hirvonen and his team discovered that the Cosmu malware family used the same loader as MiniDuke.
“What makes the connection to MiniDuke interesting is that, based on compilation timestamps, it was Cosmu, not MiniDuke, which originally used the common shared loader,” Hirvonen added.
“Moreover, we found that the loader was updated at some point, and both malware families took the updated loader into use. Since Cosmu is the first malware known to share code with MiniDuke, we decided to name the samples showing this amalgamation of MiniDuke-derived loader and Cosmu-derived payload as CosmicDuke.”