Self Assessment

CosmicDuke Malware Analysis

Published On : 2022-08-29
Share :
CosmicDuke Malware Analysis

CosmicDuke Malware Analysis Report

Executive Summary

One of the campaigns Cyfirma researchers observed recently is ‘natural disaster’ which is potentially active since 17 March 2022 with the motive of exfiltration of sensitive databases, and customer information for financial gains. Our research team detected total of six samples of “CosmicDuke” malware related to this campaign and we chose one of them for further analysis and provide this report as part of our findings.

The “CosmicDuke” malware is a combination of information stealer and backdoor and the malware sample (August 2022) we have analyzed is a 32-bit executable binary part of “natural disaster” campaign that utilizes legitimate file names to deceive users.

The malware sample decompressed 1st stage load [malware] file in the memory, and that 1st stage loader file is created [self-copy of the files] in the system32 as a legitimate file. This is followed by the dropping of two files, with the dropped file sizes being 5kb and 4kb files in the system32, with the threat actor creating file names as legitimate names. After this, “CosmicDuke” malware loader creates a schedule task and installs windows service to achieve persistence and establishes the connection to C2 server for further operation from attackers. “CosmicDuke” malware achieves persistence on the victim system by creating a scheduled task and installing a windows service. Stealing clipboard contents and user files with file extensions that match a predetermined list, keylogging activity, taking screenshots, and collecting user credentials, such as passwords, from a range of popular chat and email programs, as well as web browsers to exfiltrate the captured data to an attacker controlled C2 server. “CosmicDuke” malware is spread through several tactics, including spear-phishing, malicious advertising, exploit kits, and others. “CosmicDuke” malware is a combination of the notorious MiniDuke APT trojan [backdoor] and another longstanding threat, the information stealing Cosmu family.

The malware [“CosmicDuke”] has the following capabilities:

  • Multiple Anti-debugging capabilities.
  • Ability to enumerate drives.
  • Ability to enumerate paths, files, and folders.
  • Capability to load other libraries, processes, and DLLs in memory.
  • Capability to handle command-line arguments and command execution.
  • Ability to Gather System Information.
  • Network communication capability.
  • Collecting user credentials, such as passwords, from a range of popular chat and email programs, as well as web browsers.
  • Taking screenshots, Keylogging activity, Stealing clipboard contents.

Threat Actor attribution: APT29/COZY BEAR

APT29 is a cyber-espionage group which is belong to Russian espionage. This group has been operating since at least 2008. APT29 group is a component of the SVR, Russia’s foreign intelligence agency. the hack of the United States Democratic National Committee (DNC) in 2016 has been attributed to this group, as well as the SolarWinds supply chain compromises in 2020. APT29 group are continuously evolving their tactic and tools and remain a threat with malware like Cosmic Duke.

Targeted Industries

Academic, Energy, Financial, Government, Healthcare, Media, Pharmaceutical, Technology, Think Tanks.

Targeted Countries

Germany, Japan, United Kingdom, United States of America.

ETLM Attribution

The Cyfirma Research Group noticed three campaigns recently attributed to APT29 or its affiliates named UNC040 (Jan 24, 2022 – Aug 23, 2022), Natural Disaster (Mar 17, 2022 – Aug 23, 2022), Eliminate#30 (Oct 10, 2020 – Aug 23, 2022). Thus far, in 2022, as part of 3 active campaigns, APT29 has targeted the following countries – Japan, United States, United Kingdom, Germany, South Korea, and India. Herein, Japan and the United States have proven to be the favourite targets. As part of the observed campaigns, malware such as BazarLoader, Cobalt Strike, MiniDuke, “CosmicDuke”, Sunburst, SUPERNOVA, and more, were employed by APT29 attackers.

One of the campaigns ‘natural disaster’ which is potentially active since 17 March 2022 with the motive of exfiltration of sensitive databases, and customer information for financial gains. The threat actor is suspected to leverage attack methods such as exploiting the weakness in the systems, phishing with malware, and trojan implants. Total of six samples were detected of ““CosmicDuke”” malware by our team related to this campaign as mentioned below and we chose one of them for analysis:

  • 53264f1daff3df9a9e0974b71d9cd945
  • 182aeb380ed48d731217d904ee66e7ed
  • 9452d0b3e348890b3ca524efebcb15f6
  • b771081daabc044141eecb8c9db69519
  • 6152e22093c052266d2c61ac2738bfc2
  • 3941639886899D6580DE2113D4C8841E

CosmicDuke Backdoor Analysis

Sample Details:
MD5: 3941639886899D6580DE2113D4C8841E
SHA256: F6850A3C4C677C5F7E83C6B062B00C744C2E00A11346F7A4B00CA8677AC34C47 File Type: Windows PE
Architecture: 32 Bit
Subsystem: GUI
First Seen: August-22

This malware was written in Microsoft Visual C++ programming language. This malware binary file’s size is 2301383 (bytes). As shown in the below figure, this CosmicDuke variant binary file was packed by a custom [unknown] packer.

This malicious file is having version information as Google Chrome, where the threat actor lures the user with this file posing as Google Chrome Updater.

Upon execution of the file, it loads the malicious packed code into the memory and unpacks that file in memory [file hash: 335D2EE728B4C1591B5B374A7CE4B758], after that unpacked file is executed from the memory which actions the following modification in the victim system.

Files added in the Victim host:
C:\ Windows\System32\apicms.exe[MD5: 0499C600266D8311722BBC31B89FB9AC]
C:\ Windows\System32\ uidhcp.exe[MD5: 335D2EE728B4C1591B5B374A7CE4B758]
C: Windows\System32\ wmsys.scr[MD5: 943E98CB74058DFA942D9D6184E936B1]
C:\Windows\System32\Tasks\PBDARegisterSW

Registry Modification

Registry Keys added in the Victim host:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{EE2A453A- CE72-47C6-8A8A-727199A79DEA}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EE2A453A- CE72-47C6-8A8A-727199A79DEA}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PBDARegisterSW HKLM\SYSTEM\CurrentControlSet\services\javatmsup
HKLM\SYSTEM\ControlSet001\service javatmsup\Start: 0x00000002
HKLM\SYSTEM\ ControlSet0 \services\javatmsup\ErrorControl: 0x00000001 HKLM\SYSTEM\ControlSet001\services\javatmsup\ImagePath: ” C:\ Windows\System32\ uidhcp.exe

Registry Values added in the Victim host:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EE2A453A- CE72-47C6-8A8A-727199A79DEA}\Path: “\PBDARegisterSW”
HKLM\SOFTWAR createdft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EE2A453A- CE72-47C6-8A8A-727199A79DEA}\Hash: C0 36 F4 86 0A 7F A7 75 19 A4 3 68 ED 2D DB 45 EB 2F ED B3 82 FF 80 A2 89 A6 32 B2 2A BE B9 DE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ EE2A453A- Cthe E72-47C6-8A8A-727199A79DEA}\DynamicInfo: 03 00 00 00 92 5A 26 EA A2 AF D8 01 92 5A 26 EA A2 AF D8 01 05 00 00 C0 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PBDARegisterSW\Id: “{EE2A453A-CE72-47C6-8A8A- 727199A79DEA}”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PBDARegisterSW\Index: 0x00000002
HKU\Control Panel\Desktop\ScreenSaveBackup: “”
HKU\ Panel\Desktop\SCRNSAVE.EXE: “C:\ Windows\System32\ wmsys.scr”
HKU\ Control Panel\Desktop\ScreenSaveUtility: “C:\ Windows\System32\ wmsys.scr”
HKU\\Control Panel\Desktop\ScreenSaveTimeOut: “60”

Network Communication

After that this unpacked backdoor file establishes the connection to the below C2 servers with Post Request, in that post request this malware appends the stolen data such as computer name, username, version information, Volume ID, etc. Following are the IP addresses used for communication:

  • 199[.]231[.]188[.]109
  • 46[.]246[.]120[.]178

As shown in the below code snippet picture, this CosmicDuke variant binary first runs the loop 1000 times to misdirect the analysis and delay the execution.

Next, this malware creates virtual memory by calling VirtualAlloc API call, then loadings the packed content in that memory location after that packed code was decrypted by a custom packer in the memory then transfers the call to the unpacked memory.

1st Stage Payload (unpacked)
Sample Details:
MD5: 335D2EE728B4C1591B5B374A7CE4B758
SHA256: 42AFD884116DF2267696DA88827E8F774155C8B1DA86BCE968BE20765EB8BB7C File Type: Windows PE
Architecture: 32 Bit
Subsystem: GUI

This malware sample was also written in Microsoft Visual C++ programming language. This malware binary file’s size is 294551 (bytes). As shown below, this file is having the version information as Microsoft Corporation [internal file name is svchost.exe], with this trick allowing the threat actor to hide their malicious intent.

This CosmicDuke backdoor loader initially verifies any security product running in the victim system before executing the CosmicDuke malware activity by calling CreateToolhelp32Snapshot, Process32Next, and Process32First. If any security product is running, this malware will be terminated with no expression of the malware behaviour.

After that this malicious code generates random characters [alphabet letters] and combines those random characters together for making the file name [to showcase the filename as a legitimate file name]. These created file names are used while creating malicious payload/files. Then this malware directly copies itself into the system32 by calling CreateFileW API.

Once the unpacked file is created in the system32, this malicious binary obtains the temp folder location by calling GetTempPathW, then creates a 5kb file [File hash: 0499C600266D8311722BBC31B89FB9AC] by calling again CreateFileW, after that this 5kb file is copied into the system folder by calling CopyFileW.

Similar to the above behavior, this malware code creates a 4kb file in the temp folder [file hash: 943E98CB74058DFA942D9D6184E936B1] after that copies this file to system32 as .scr file extension.

Once the three files are created, the malicious loader launches the 5 kb files, in that pass the argument is ’ local system’ by calling CreateProcessW

Similar to this the malicious load launches the 4kb file by calling CreateProcessW without passing any argument. After that, this loader launches the self_copied file by calling the CreateProcessW API [passing argument is -enc[this argument is varying with every execution]]. After this file is launched it creates the scheduled task by calling CreateFileW, then modifies the Registry by calling the RegSetValueExW API.

The threat actor could collect data from the clipboard by calling the below code snippet.

Additionally, this malware collects the computer name, keyboard layout details, what drivers are available on the victim system, etc.

This malware establishes the connection to the FTP server and uploads the harvested details from the victim systems to the threat actor C2 server as well as waits for further commands from the attackers.

Dropped file_01
Sample Details:
MD5: 0499C600266D8311722BBC31B89FB9AC
SHA256: 16F868FC0F84E1C91E11A8F715395E1122775E597031C0CAEDEAF4AF39122B68 File Type: Windows PE
Architecture: 32 Bit
Subsystem: Console

This file is creating a service dubbed Java Virtual Machine Support Service [service name: \javatmsup] with auto_start [this file is achieving persistence, so whenever the victim system is rebooted, this service will run automatically].

After the service is started, this malware takes a snapshot of the running process by calling CreateToolhelp32Snapshot, then obtains explore.exe process handle by iterating this snapshot and calling open process. After obtaining the explore.exe process handle, it duplicates this explore.exe process token and starts the malware process using the duplicated process token, followed by harvesting system information such as the password and other information.

Dropped file_02
Sample Details:
MD5: 933B3C5D3728EF6E08AF4AE579C00D11
SHA256: 47F3405AB0DA5AF125BCC6EBB6D17A1573B090C54D7A0A00630EC170CCC4B9D1 File Type: Windows PE
Architecture: 32 Bit
Subsystem: GUI

This sample is a component of the CosmicDuke malware, which is obtaining the desktop details of victim systems by calling the RegQueryValueExW, RegOpenKeyExW, and then storing those details in the buffer before launching this process by calling the CreateProcessW. This malware sends the harvested information to the attackers.

List of IOCs: (Related to Campaign Name: Natural Disaster)

Sr No. Indicator Type Remarks
1 3941639886899D6580DE2113D4C8841E MD5 sample
2 335D2EE728B4C1591B5B374A7CE4B758 MD5 1st stage CosmicDuke
3 0499C600266D8311722BBC31B89FB9AC MD5 Dropped file by CosmicDuke
4 6152e22093c052266d2c61ac2738bfc2 MD5 Other Sample Related to Campaign
5 182aeb380ed48d731217d904ee66e7ed MD5 Other Sample Related to Campaign
6 9452d0b3e348890b3ca524efebcb15f6 MD5 Other Sample Related to Campaign
7 53264f1daff3df9a9e0974b71d9cd945 MD5 Other Sample Related to Campaign
8 b771081daabc044141eecb8c9db69519 MD5 Other Sample Related to Campaign
9 933B3C5D3728EF6E08AF4AE579C00D11 MD5 Dropped file by CosmicDuke
10 199[.]231[.]188[.]109 Ip address C2 connection
11 46[.]246[.]120[.]178 Ip address C2 connection
12 D:\SV A\NITRO\BotGenStudio\Interface\Generations\80051A8 5\bin\bot.pdb strings Pdb path
13 \\.\pipe\40DC244D-F62E-093E-8A91-736FF2FA2AA2 strings Pipe name

 

MITRE ATT&CK Tactics and Techniques (Based on our analysis):

Sr No. Tactic Technique
1 Execution(TA0002) T1059.003: Command and Scripting Interpreter: Windows Command Shell
2 Persistence(TA0003) T1543.003: Create or Modify System Process: Windows Service
T1053.005: Scheduled Task/Job: Scheduled Task
3 Privilege Escalation(TA0004) T1134.004: Access Token Manipulation: Parent PID Spoofing
T1543.003: Create or Modify System Process: Windows Service
T1053.005: Scheduled Task/Job: Scheduled Task
4 Defense Evasion (TA0005) T1027: Obfuscated Files or Information
5 Discovery (TA0007) T1057: Process Discovery
T1082: System Information Discovery
T1012: Query Registry
T1518.001: Software Discovery: Security Software Discovery
6 Collection (TA0009) T1115: Clipboard Data
T1056.001: Input Capture: Keylogging
7 Command and Control(TA0011) T1071: Application Layer Protocol