New Strain Of MiniDuke Malware Now Targets Criminals

MiniDuke, the unusual, highly customized malware that was used to spy on government organisations in 2013, has added new functionality and expanded its target list, according to a report by Kaspersky Labs.

An upgraded version of the code, known as CosmicDuke, has been spotted infecting drug dealers and military contractors as well as the traditional government targets. Researchers at Kaspersky suggest that the malware has been adopted by new users, some of which might actually work for law enforcement agencies.

MiniDuke and its derivatives are interesting because they are decisively old-school: written in Assembler, they use an obfuscated loader, encrypt communications and the downloader code weighs just 20kb.

Ain’t no school like the old school

MiniDuke, originally discovered by Kaspersky Labs in 2013, has been targeting organisations in the US, Ukraine, Belgium, Portugal, Romania, the Czech Republic, Hungary and Ireland. It can be managed through several channels, including automated Twitter accounts which broadcast ‘Command & Control’ codes, and hide update executables inside GIF files.

The malware spreads using social engineering techniques: for example, in Eastern Europe it was found hiding inside customised PDF documents which mentioned subjects like Ukraine’s foreign policy and NATO membership plans.

Eugene Kaspersky said at the time that the complex nature of MiniDuke reminded him of the classic malware created at the end of the 1990s.

Meanwhile the new strain, dubbed ‘CosmicDuke’ has been compiled using a customisable framework called BotGenStudio. It is nowable to steal a much wider variety of data, including files based on extensions and keywords.

The malware has been attacking a wide variety of organisations in the UK, US, Russia, Georgia, Kazakhstan, India, Belarus, Cyprus, Ukraine and Lithuania. Quite surprisingly, in Russia CosmicDuke has been used to target other criminals, namely the illegal sellers of steroids and hormones.

“It’s a bit unexpected – normally, when we hear about APTs [Advanced Persistent Threats], we tend to think they are nation-state backed cyber espionage campaigns,” said Vitaly Kamluk, principal security researcher at Kaspersky.

“But we see two explanations for this. One possibility is that malware platform BotGenStudio used in Miniduke is also available as a so-called ‘legal spyware’ tool, similar to others, such as HackingTeam’s RCS, widely used by law enforcement. Another possibility is that it’s simply available in the underground and purchased by various competitors in the pharma business to spy on each other.”

CosmicDuke can also log keyboard commands, harvest network information, take screenshots, steal address books and passwords and export private keys and certificates.After the data has been accessed, the malware implements several network connections for exfiltration, including FTP and three various variants of HTTP.

Each victim of MiniDuke is assigned a unique ID which allows the pushing of specific updates to an individual machine.

How well do you know network security? Try our quiz and find out!