CosmicDuke: peering inside over 7 years of state-sponsored malware operations

No ratings

Presented at t2 2015 by

The summer of 2014 saw the public outing of a uniquely interesting malware family known as CosmicDuke. While CosmicDuke appeared to primarily target Western governments for espionage purposes, it was also seen targeting Russian speaking criminals involved with illegal substances and child porn. Also, while CosmicDuke seemed to be based on an older malware family called Cosmu, it clearly shared some components with the presumably Russian-backed espionage operation MiniDuke. In this presentation, we will detail the discoveries we have made over the past year of continuing research into CosmicDuke. We will explain how we worked to identify and extract key "metadata" from CosmicDuke samples and how, by compiling this data from samples we had already encountered, we were able to find additional samples of CosmicDuke, discover previously unseen variants of CosmicDuke, and identify new "strains" of CosmicDuke activity. We will also detail how we were able to use the metadata compiled from samples to attempt to answer questions such as "How has the use of CosmicDuke evolved over the years" and "Is CosmicDuke being operated by a single group of people or are many groups sharing the toolset?". In this presentation, we will also show how the people behind CosmicDuke have worked to continuously improve their tools. We will show examples of features being ported between different tools in the CosmicDuke toolset, recently published public exploits being turned into new CosmicDuke components, existing functionality being reworked and refactored, and even how ease of testing has been taken into account in CosmicDuke. Finally, our presentation will also provide insight into an oft-forgotten aspect of malware research: "What happens once its public?" We will therefore conclude our presentation by discussing the ways in which we have observed the people behind CosmicDuke respond to last summer's publications. By sharing our techniques and the discoveries they led to, as well as the observations we have made through the course of our research, we hope to provide unique insight for anyone researching, countering or otherwise interested in understanding long-running targeted malware operations. Artturi Lehtiö, born in Finland, began his computer science studies at Aalto University in 2010 and is now finishing up his Bachelor of Science degree there. He has been employed by Finnish security company F-Secure since 2014 where he currently works as a researcher focusing primarily on threat intelligence, threat hunting and reverse engineering.