MiniDuke, CosmicDuke and OnionDuke have a same matrix

Pierluigi Paganini January 12, 2015

Security experts collected further evidences of the link between the CosmicDuke, Miniduke and OnioDuke Advanced Persistent Threat campaigns.

Researchers at F-Secure firm are constantly monitoring the cyber espionage campaigns MiniDukeCosmicDuke and OnionDuke and provided an interesting update on the hacking operation.

Below a short description of the campaigns:

MiniDuke: Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security, or CrySyS, in February 2013 revealed that unknown hackers targeted dozens of computers at government agencies across Europe in a series of cyber attacks that exploited a recently discovered security flaw in Adobe software. Analyzing the logs from the command servers security the experts have found 59 unique victims in 23 countries.

CosmicDuke: In April 2014, experts at F-Secure, while investigating on MiniDuke malicious code discovered a link to a new strain of malware, dubbed CosmicDuke, belonging to Cosmu family. The malware family discovered was using the same loader as MiniDuke stage 3.

Cosmu Miniduke malware 2

OnionDuke: In November 2014, experts Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that was patching the binaries downloaded by the users with malware. Experts at F-Secure discovered a link between the crew operating the rogue Tor node that was used to spread the OnionDuke malware and the MiniDuke APT. The malware was any way different from the ones used in the past by the threat actor behind the MiniDuke crew. The OnionDuke has been used in attacks against government agencies and mass infection campaigns against Tor and torrent users.

The researchers at F-Secure have analyzed malicious documents uploaded to the Free Online Virus, Malware and URL Scanner service VirusTotal, and have discovered that at least one the Ministry of Foreign Affairs in Europe has been the victim of a targeted attack. The documents used for the cyber espionage campaign against the Ministry of Foreign Affairs in Europe reference the EU sanctions against Russia over the crisis in Ukraine, the attackers used social engineering tactics to trick users into enabling macros, a necessary step to allow the CosmicDuke infection.

CosmicDuke linked Miniduke F-Secure

This sample of CosmicDuke analyzed by the experts was specifically designed to install MiniDuke malware on infected systems.

“In our analysis released in July we mentioned that CosmicDuke seems to be connected to MiniDuke because both malware families use the same loader which has been exclusively used by the MiniDuke group. The CosmicDuke samples that infect the system with MiniDuke give us further evidence that the same actor is behind both malware families.” reports F-Secure in a Blog post.

Initially CosmicDuke was initially linked to MiniDuke because the researchers discovered that the two malicious code was using the same loader, the new discovery confirms the suspect.

“CosmicDuke and MiniDuke complement each other. CosmicDuke is an infostealer – ideal for reconnaissance and data exfiltration. MiniDuke is a backdoor – it gives the attacker full control of the computer,” Timo Hirvonen, senior researcher at F-Secure explained to SecurityWeek.

The experts highlighted that CosmicDuke has been observed in operations targeting government entities, high-profile organizations, and users involved in the trafficking of controlled and illegal substances.

The researchers at F-Secure revealed that in APT campaigns, the attackers used a dedicates infrastructure for OnionDuke that’s shared with MiniDuke. In these cases, the threat actors used a full version of the malware. The experts also noticed that in the mass infection campaigns, the C&C infrastructure was relying on compromised servers and free hosting services, and in these cases, the attackers have used a lighter version of OnionDuke.

Who is behind the cyber espionage campaigns?

The experts speculated that CosmicDuke, MiniDuke and OnionDuke are the products of Russian state-sponsored hackers because the campaigns targeted governments with an interest in Russian affairs. The fact that CosmicDuke operations targeted users of illegal substances may also indicate the involvement of law enforcement agencies of the Russian Government.

Stay Tuned.


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  MiniDuke, CosmicDuke , OnionDuke)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment