CosmicDuke

Description

(F-Secure) The CosmicDuke toolset is designed around a main information stealer component. This information stealer is augmented by a variety of components that the toolset operators may selectively include with the main component to provide additional functionalities, such as multiple methods of establishing persistence, as well as modules that attempt to exploit privilege escalation vulnerabilities in order to execute CosmicDuke with higher privileges. CosmicDuke’s information stealing functionality includes: • Keylogging • Taking screenshots • Stealing clipboard contents • Stealing user files with file extensions that match a predefined list • Exporting the users cryptographic certificates including private keys • Collecting user credentials, including passwords, for a variety of popular chat and email programs as well as from web browsers

CosmicDuke may use HTTP, HTTPS, FTP or WebDav to exfiltrate the collected data to a hardcoded C&C server.

Names

Name
CosmicDuke
TinyBaron
BotgenStudios
NemesisGemina

Category

Malware

Type

• Backdoor
• Keylogger
• Info stealer
• Credential stealer
• Exfiltration

Information

• https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf
• https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/

Mitre Attack

• https://attack.mitre.org/software/S0050/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.cosmicduke

Other Information

Uuid

75a23886-9c93-4a6f-88ab-c540721d2392

Last Card Change

2023-04-26