CosmicDuke malware may hit European governments

News by Steve Gold

A complex variant of the MiniDuke malware - first seen almost 18 months ago and which targets NATO and other European government IT systems - has been spotted.

The new code, dubbed an APT (Advanced Persistent Attack) by F-Secure's research arm, combines MiniDuke and a second piece of darkware called Cosmu, to create a new and multi-vectored malware called CosmicDuke.

In its white paper on CosmicDuke's capabilities, the security vendor says that the new darkware employs targeted files or emails in a phishing attack style to lure users into compromising their IT system.

Once the target system is infected, CosmicDuke then begins harvesting sensitive information using a keylogger, a clipboard stealer, a screenshot grabber, and password stealing utilities for a variety of chat, email, and browsers. It can also, says F-Secure, steal cryptographic certificates and their associated private encryption keys.

As you might expect, data harvested by the malware is then exfilitrated to remote command-and-control servers, with cybercriminals using the credentials to gain unauthorised access to various online accounts.

As well as being hybridised and multi-vectored, F-Secure says that CosmicDuke bridges the gap between state-sponsored malware in the vein of Stuxnet and more mundane malware like Zeus.

Despite its in-depth research, F-Secure says it has not spotted any specific targets yet, but adds there is evidence that CosmicDuke is being used or is intended for use in targeted attacks.

Tony Kenyon, EMEA technical director with A10 Networks, said what is interesting about CosmicDuke is the re-use of much older code dating back to the early 2000s.

"Both Cosmu and MiniDuke appear to share common code. Code re-use is normally promoted as good practice, although in this case we might want to think of this as different class of anti-pattern," he said, adding that, as far as the risk posed by this malware, its actual scope remains unclear.

This, he explained, is because specific transport mechanism is not fully characterised.

"One would expect most email [security] solutions armed with up to date AV protection to fend these attacks off without too much trouble. Even so there is still a reliance on users being vigilant about what the open, in terms of file attachments and dropped files," he said.

Steve Armstrong, technical security director with Logically Secure, said that CosmicDuke is a complex piece of code and, whilst it is clearly targeted, he expects to see this level of sophistication appearing in more routine malware in the near future.

The sophistication, he says, will include features such as signed code and the ability to draw down DLLs and other code once a given application has been passed by the company's IT security technology.

Armstrong, a SANS Institute Instructor and experienced pen tester, says that the solution to sophisticated malware like CosmicDuke is to maintain a constant level of analysis on the corporate IT system, rather than simply performing one-off analyses as the code enters the platform.

"Whilst this obviously consumes more processing power, with today's high-powered systems, this shouldn't be a problem," he noted.

Craig Young, a security researcher with Tripwire, was more sanguine, saying that masquerading malicious executables as images or documents is a long standing trick relying on social engineering.

"Typically the trick involves specifying an icon which matches software meant for handling that file type - Adobe Acrobat for example.  Adding to this, attackers will often use file names with multiple periods to make the file appear to be of a different type," he said, adding that another far more sophisticated technique is to leverage a file format vulnerability.

Using this approach, he says, parsing errors within document or image readers can be exploited to run the attacker's code.

Michael Sutton, VP of security research with Zscaler, meanwhile, said that, whilst the information stealing malware known as CosmicDuke is robust, leveraging a variety of methods to gather intelligence, the good news for potential victims is that the infection techniques employed are not particularly sophisticated.

"CosmicDuke is taking one of two approaches to infect the victim's machine. The first leverages a known and now dated file format vulnerability (CVE-2011-0611), while the second is a pure social engineering attack which renames executable files to make them appear to be documents by hiding their true file extensions and changing their default images," he said.

Sutton added that administrators can learn two lessons from such attacks.

"Firstly, all binary files should be interrogated before permitted to be downloaded and it is important to use techniques beyond antivirus that don't rely in signatures, such as behavioural analysis," he said, adding that even though the exploits use a known vulnerability, variants that package it in a new form can bypass signature based systems such as anti-virus.

"Secondly, executable files should not be permitted for download by end users, especially without also being thoroughly analysed for the presence of malware," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews