F-Secure known as a global security leader has discovered a series of attacks against NATO and European government agencies. The backdoor called the ‘MiniDuke’ identified by F-Secure labs analysed that another malware from the same family was using the same loader as the MiniDuke stage 3. The malware which is belongs to the Cosmu family and has originally used common shared loader. The findings further highlight that, the loader was updated at a particular time and both the malware families used the updated loader. It was observed that Cosmu shared the code with MiniDuke, so it was decided to name the samples showing this amalgamation of MiniDuke-derived loader and Cosmu-derived payload as CosmicDuke.
As per the findings by F Secure CosmicDuke infections start by misleading the targets into opening either a PDF file that consist of exploit or a Windows executable which appears with a changed file name and gives an impression of a document or image file. The moment target opens the file, the malware gains authority on the system and starts collecting valuable information. Keylogger, clipboard stealer, screenshotter and password stealers e-mail and web browsing programs are the components which are collected by the malware. Along with this it also collects the information present on the system and exports cryptographic certificates and private keys.
After this entire process, the collected data is then sent to the remote servers through FTP. Along with the stealing of valuable information from the authorised system, CosmicDuke further enables the attacker to download and execute other malicious files on the system. It was also observed that CosmicDuke’s attack files contained references from Ukraine, Poland, Turkey and Russia.