Top 10 countries: Georgia, Russia, USA, Great Britain, Kazakhstan, India, Belarus, Cyprus, Ukraine, Lithuania. Others include Azerbaijan, Greece and Ukraine.
Trojanized software installers
Data theft
The TinyBaron/CosmicDuke custom backdoor is compiled using a customizable framework called "BotGenStudio", which has sufficient flexibility to enable/disable components when the bot is constructed.
The attackers use strong self-protection to prevent antimalware solutions from analyzing the implant and detecting its malicious functionality via an emulator. It also complicates malware analysis.
CosmicDuke targets individuals involved in the traffic and selling of illegal and controlled substances. These victims have been observed only in Russia.
Diplomatic organizations/embassies
Energy, oil and gas companies
Telecoms
Military
Specific individuals
Although the attackers use English in several places, there are certain indicators – like strings in a block of memory appended to the malware component used for persistence – that make experts believe they are not native English speakers.
The blog post and research paper are available atSecurelist.com
