CosmicDuke is believed to have been developed and deployed by the same team as PinchDuke. It was compiled on January 16, 2010 and was still active as of June 2015. It superseded the PinchDuke campaign and its toolkit surpasses the functionality of the PinchDuke exploit kit. Unlike PinchDuke, CosmicDuke appears to be entirely custom written to the adversary’s specifications. The techniques that CosmicDuke uses to extract user credentials and detect analysis tools may be based on PinchDuke. At a high-level, CosmicDuke’s persistence techniques resemble those of GeminiDuke. Despite the similarities to the other Duke malware, CosmicDuke does not share any code with its sibling campaigns. CosmicDuke was most famously deployed against individuals believed to be trafficking illicit substances in Russia. It is possible that Russia’s law enforcement agencies used the malware as spyware in their war against drugs.

It deploys from a series of loaders and the malware is built around an information stealer that is augmented by persistence components and a privilege escalation tool. Early variants of the privilege escalation module attempted to exploit CVE-2010-0232 or CVE-2010-4398. The malware authors likely chose which persistence and escalation tools to include in each variant of the malware in order to exploit known vulnerabilities in the target environment. For instance, in 2014, after the exposure of MiniDuke, Kaspersky noted the appearance of a CosmicDuke variant that featured a backdoor and the ability to start via Windows Task Scheduler.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s