GeminiDuke

Description

(F-Secure) The GeminiDuke toolset consists of a core information stealer, a loader and multiple persistence-related components. Unlike CosmicDuke and PinchDuke, GeminiDuke primarily collects information on the victim computer’s configuration. The collected details include: • Local user accounts • Network settings • Internet proxy settings • Installed drivers • Running processes • Programs previously executed by users • Programs and services configured to automatically run at startup • Values of environment variables • Files and folders present in any users home folder • Files and folders present in any users My Documents • Programs installed to the Program Files folder • Recently accessed files, folders and programs

As is common for malware, the GeminiDuke infostealer uses a mutex to ensure that only one instance of itself is running at a time. What is less common is that the name used for the mutex is often a timestamp. We believe these timestamps to be generated during the compilation of GeminiDuke from the local time of the computer being used.

Names

Name
GeminiDuke

Type

Reconnaissance
Backdoor
Info stealer
Loader

Information

https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf

Mitre Attack

https://attack.mitre.org/software/S0049/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.geminiduke

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:GeminiDuke

Other Information

Uuid

584ac10a-2dc5-4633-9d8a-0980870bbd1f

Last Card Change

2023-06-22

Threat Intelligence Garden

Explorer

GeminiDuke

GeminiDuke

Description

Names

Category

Type

Information

Mitre Attack

Malpedia

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks