Sunday, September 21, 2014

A word on CosmicDuke


On Thursday F-Secure released a blog post on CosmicDuke. But what is CosmicDuke exactly?

CosmicDuke - the first malware seen to include code from both the notorious MiniDuke APT Trojan and another longstanding threat, the information-stealing Cosmu family. When active on an infected machine, CosmicDuke will search for and harvest login details from a range of programs and forward the data to remote servers.
Source: COSMICDUKE: Cosmu with a twist of MiniDuke (PDF)

In other words, it will (attempt to) steal your login credentials from browsers and any other programs you may or may not use. I was interested to take a look, queue how Twitter comes in handy:



In this post we'll be focusing on sample 82448eb23ea9eb3939b6f24df46789bf7f2d43e3 - which supposedly handles about the EU sanctions against Russia.


When opening the document:

(Source)


















When you open the document with macros disabled:














Seems they got prepared in case anyone disabled macros. Think this is a legit Word document?
Nope.

When you open the document, there's actually a child process spawned (tmp4D.tmp) which also loads a file called input.dll:


Don't be fooled by the company name or description,
this isn't IIS Express Worker Process nor has it anything to do with Microsoft.









We'll soon see what all this does. First, I'd like to provide some background information. The file's a .docx file, which means it is a combination of XML architecture and ZIP compression for size reduction and was implemented when Office 2007 was introduced. Why is that relevant?

Because you can unzip (with 7-zip for example) any Office file with the new extension:
(.docx, .xlsx, .pptx, ...)


Unzipped content of a .docx file











Thus, you can have a peek inside the document without actually opening it. If we look inside the "word" folder from our document, we can see the following (note the highlighted entries):
Unzipped content of  our .docx file


As you can see, there are 3 extra files there, 2 DLL files and a BIN file. Those files are embedded into the Word document. The BIN file loads an OLE , which then loads either the input.dll or input64.dll file, depending on your Operating System architecture. (in other words, the Office macro loads a malicious binary file.)

If you're interested in what the OLE artifact contained, here's a Pastebin link:

Afterwards, the malware tries to kill the following processes:
cmd.exe
savadminservice.exe
scfservice.exe
savservice.exe
ekrn.exe
msseces.exe
MsMpEng.exe
dwengine.exe
ekern.exe
nod32.exe
nod32krn.exe
AvastUi.exe
AvastSvc.exe
kav.exe
navapsvc.exe
mcods.exe
mcvsescn.exe
outpost.exe
acs.exe
avp.exe

It will then try to gather as much data as possible, from cookies to files containing *psw*;*pass*;*login*;*admin*;*sifr*;*sifer* or *vpn. Soon after your data will be uploaded to an FTP server... Which wasn't too hard to find.

Anyways, here's some additional information on the Word file by automated tools:
MalwareTracker Result
VirusTotal Result



Prevention



Conclusion

It seems obvious that malware authors are keeping up-to-date with the latest news and as such adapting their campaigns as well. Better be safe than sorry and don't trust anything sent via email. ;-)

If you're in an organisation, you might want to consider blocking the execution of all macros (or only allow the ones that are digitally signed if there's no other option) by using GPO.

You can find those templates here:



Resources

1 comment: