Dormant Miniduke APT campaign returns with better malware

The Miniduke advanced persistent threat (APT) campaign that has been dormant for more than a year is back with more data-stealing tools and better defenses against prying security researchers.

[The processes and tools behind a true APT campaign: Overview]

Miniduke went nearly dark after February 2013, which is when Kaspersky Lab and CrySys Lab first publicized the campaign targeting mostly government organizations in Europe.

Oddly, while still going after the same groups, the attackers behind the campaign have added spying on online traffickers in illegal substances, such as hormones and steroids.

The new Miniduke uses a custom backdoor that combines the code of the original malware with that of the Cosmu family of information-stealers, which has been around at least since 2001.

Dubbed CosmicDuke, the new malware uses the MiniDuke-derived loader and the Cosmu-derived payload. Anti-virus vendor F-Secure was the first to discover and name CosmicDuke.

The backdoor is compiled using a customizable framework called BotGenStudio, which has the flexibility to enable or disable components when the compromised PC is turned into a bot.

Each infected system is assigned a unique identifier, making it possible for the attackers to push updates specific to an individual victim, Kaspersky said in its SecureList blog.

The malware is designed to steal a variety of files based on extensions and file name keywords. The backdoor has about 20 capabilities that include stealing Skype, Google Chrome, Google Talk, Opera, Firefox and Thunderbird passwords.

CosmicDuke can also take screen images every five minutes, grab content from the clipboard every 30 seconds and export certificates and private keys.

The malware uses an unusual method of storing stolen data. It breaks up a file into small, 3 KB chunks that are compressed, encrypted and placed in a container for uploading to a command and control server, Kaspersky said.

If the file is large enough, it can be broken up into several hundred containers that are uploaded independently. The data pieces are likely parsed, decrypted, unpacked and reassembled on the attackers’ side.

“Creating such a complicated storage might be an overhead; however, all those layers of additional processing guarantees that very few researchers will get to the original data while offering an increased reliability against network errors,” Kaspersky said.

Systems infected with CosmicDuke and the older Miniduke malware, which the attackers still used, were in government, the energy sector, the military and the defense industry.

[Why you need to embrace the evolution of APT]

Also affected were individuals involved in the trafficking of illegal and controlled substances. These victims were only in Russia.

Countries with victims in the government category included Australia, Belgium, France, Germany, Hungary, Netherlands, Spain, Ukraine and the United States.