CosmicDuke is a new form of malware that combines the infamous MiniDuke and ancient Cosmu attack. It was first uncovered by researchers at F-Secure on Thursday.
It was originally unclear if the malware was being used for real-world attacks. However, on Friday Kaspersky Lab researchers reported finding evidence that the malware is being used to mount an ongoing advanced hack campaign.
“Recently, we became aware of an F-Secure publication on the same topic under the name ‘CosmicDuke’. During the analysis, we were able to obtain a copy of one of the CosmicDuke command-and-control servers,” read the report.
“One of the CosmicDuke servers we analysed had a long list of victims dating back to April 2012. This server had 265 unique identifiers assigned to victims from 139 unique IPs.”
The UK is the fourth worst affected country with Kaspersky detecting 14 infections. Above it the United States, Russia and Georgia respectively suffered 34, 61 and 84 CosmicDuke infections.
The malware grants hackers a variety of powers and installs a number of attack tools including a keylogger, clipboard stealer, screenshotter and password stealers for a variety of popular chat, email and web browsing programs.
Kaspersky reported that the victims included governments, diplomatic bodies, energy companies, telecom operators, military departments and contractors and “individuals involved in the traffic and selling of illegal and controlled substances”.
The Kaspersky researchers said the MiniDuke malware is particularly dangerous as it leverages several advanced techniques to hide its activities.
“MiniDuke/CosmicDuke is protected with a custom obfuscated loader, which heavily consumes CPU resources for three to five minutes before passing execution to the payload. This not only complicates analysis of the malware but is also used to drain resources reserved for execution in emulators integrated in security software,” explained the report.
“Besides its own obfuscator, it makes heavy use of encryption and compression based on the RC4 and LZRW algorithms respectively. Implementations of these algorithms have tiny differences from the standardised code, which perhaps looks like a mistake in the code. Nevertheless, we believe that these changes were introduced on purpose to mislead researchers.”
F-Secure security analyst Sean Sullivan told V3 the firm has so far only caught decoy document samples of CosmicDuke and is yet to see it used in a real-world attack, but added that there is evidence to suggest it is being used by state-sponsored groups.
"It appears to be state sponsored. Or else it is an organised actor – perhaps a contractor who is gathering information to sell to a government. At the moment, crimeware which targets consumers is under attack by international law enforcement so it is quite possible that the displaced crimeware vendors found a new buyer of information."
Sullivan cited CosmicDuke as proof firms must investment in cyber security, warning them: "You are a target. Keep calm and secure your stuff. For IT managers: ask for the security budget you need, and fight for it. There is more evidence than ever that letting cost dictate security is bad management."
CosmicDuke is one of many advanced threats uncovered recently. Symantec reported on Wednesday that the infamous Dragonfly hackers have returned and are targeting a number of Western critical infrastructure companies with cyber attacks capable of physically sabotaging their systems.