Categories: SecurityWorkspace

New Strain Of MiniDuke Malware Now Targets Criminals

MiniDuke, the unusual, highly customized malware that was used to spy on government organisations in 2013, has added new functionality and expanded its target list, according to a report by Kaspersky Labs.

An upgraded version of the code, known as CosmicDuke, has been spotted infecting drug dealers and military contractors as well as the traditional government targets. Researchers at Kaspersky suggest that the malware has been adopted by new users, some of which might actually work for law enforcement agencies.

MiniDuke and its derivatives are interesting because they are decisively old-school: written in Assembler, they use an obfuscated loader, encrypt communications and the downloader code weighs just 20kb.

Ain’t no school like the old school

MiniDuke, originally discovered by Kaspersky Labs in 2013, has been targeting organisations in the US, Ukraine, Belgium, Portugal, Romania, the Czech Republic, Hungary and Ireland. It can be managed through several channels, including automated Twitter accounts which broadcast ‘Command & Control’ codes, and hide update executables inside GIF files.

The malware spreads using social engineering techniques: for example, in Eastern Europe it was found hiding inside customised PDF documents which mentioned subjects like Ukraine’s foreign policy and NATO membership plans.

Eugene Kaspersky said at the time that the complex nature of MiniDuke reminded him of the classic malware created at the end of the 1990s.

Meanwhile the new strain, dubbed ‘CosmicDuke’ has been compiled using a customisable framework called BotGenStudio. It is nowable to steal a much wider variety of data, including files based on extensions and keywords.

The malware has been attacking a wide variety of organisations in the UK, US, Russia, Georgia, Kazakhstan, India, Belarus, Cyprus, Ukraine and Lithuania. Quite surprisingly, in Russia CosmicDuke has been used to target other criminals, namely the illegal sellers of steroids and hormones.

“It’s a bit unexpected – normally, when we hear about APTs [Advanced Persistent Threats], we tend to think they are nation-state backed cyber espionage campaigns,” said Vitaly Kamluk, principal security researcher at Kaspersky.

“But we see two explanations for this. One possibility is that malware platform BotGenStudio used in Miniduke is also available as a so-called ‘legal spyware’ tool, similar to others, such as HackingTeam’s RCS, widely used by law enforcement. Another possibility is that it’s simply available in the underground and purchased by various competitors in the pharma business to spy on each other.”

CosmicDuke can also log keyboard commands, harvest network information, take screenshots, steal address books and passwords and export private keys and certificates.After the data has been accessed, the malware implements several network connections for exfiltration, including FTP and three various variants of HTTP.

Each victim of MiniDuke is assigned a unique ID which allows the pushing of specific updates to an individual machine.

How well do you know network security? Try our quiz and find out!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago