A fresh backdoor has been detected which is claimed to further demonstrate that nation states actively use crimeware.
According to F-Secure, its analysis of “MiniDuke” in Feburary 2013 also allowed it to find another malware family which was using the same loader; that malware is part of the Cosmu family of information-stealers.
The company claimed that what makes the connection to MiniDuke is that based on compilation timestamps, it was Cosmu, not MiniDuke, which originally used the common shared loader. It also found that the loader was updated at some point, and both malware families took the updated loader into use.
The filenames and content used in CosmicDuke’s attack files to lure victims contain references to Ukraine, Poland, Turkey, and Russia, either generally in use of language or included detail, or in allusions to events or institutions. The filenames and content chosen seem to be tailored to their target’s interests, though we have no further information on the identity or location of these victims yet.
CosmicDuke infections start by tricking targets into opening either a PDF file which contains an exploit or a Windows executable whose filename is manipulated to make it look like a document or image file.