CosmicDuke malware mashup steals login data to take over networks
Security company F-Secure has uncovered a new malware attack that blends together elements of two earlier threats in an attempt to compromise enterprise networks.
CosmicDuke includes elements from the MiniDuke advanced persistent threat (APT) Trojan combined with the info-stealing Cosmu family. MiniDuke first appeared last year and was used in attacks against NATO and some European government agencies.
F-Secure has published a white paper which describes how CosmicDuke uses files and emails in a phishing attack to get users to compromise their system. Once installed it begins to gather information using keyloggers, screenshot grabbers and other techniques. This is then transmitted to remote servers so that attackers can use it to compromise more of the network and install more malware.
Sean Sullivan, security advisor at F-Secure says, "CosmicDuke isn't advanced in the way that MiniDuke was. But this is interesting as it moves towards a 'commoditized' not-for-profit info-stealer with connections to the existing crimeware ecosystem".
What's particularly worrying about CosmicDuke is that it overlaps elements of cybercrime with state-sponsored espionage. Sullivan adds that it could be, "...an organized actor (a 'contractor' perhaps?) who is gathering information to sell to a government. At the moment, crimeware which targets consumers is under attack by international law enforcement -- it is quite possible that the displaced crimeware vendors found a new buyer of information".
Decoy document names uncovered by F-Secure include titles referencing gas pipelines and the Ukraine which suggests this malware may be targeted against specific industries.
This is a very organized and professional attack and Sullivan advises businesses that, "You are a target. Keep calm and secure your stuff".