CosmicDuke
Active
 
Backdoor
2013
 
Windows
April 2012
 
101-500
TOP TARGETED COUNTRIES:
Top 10 countries: Georgia, Russia, USA, Great Britain, Kazakhstan, India, Belarus, Cyprus, Ukraine, Lithuania. Others include Azerbaijan, Greece and Ukraine.
  • Trojanized software installers
  • Data theft
  • The TinyBaron/CosmicDuke custom backdoor is compiled using a customizable framework called "BotGenStudio", which has sufficient flexibility to enable/disable components when the bot is constructed.
  • The attackers use strong self-protection to prevent antimalware solutions from analyzing the implant and detecting its malicious functionality via an emulator. It also complicates malware analysis.
  • CosmicDuke targets individuals involved in the traffic and selling of illegal and controlled substances. These victims have been observed only in Russia.
  • Diplomatic organizations/embassies
  • Energy, oil and gas companies
  • Telecoms
  • Military
  • Specific individuals
  • Although the attackers use English in several places, there are certain indicators – like strings in a block of memory appended to the malware component used for persistence – that make experts believe they are not native English speakers.
The blog post and research paper are available at Securelist.com