Duke Malware

Duke is the overarching term denoting a collection of malware toolsets deployed by the APT29 APT (Advanced Persistent Threat) actor. This actor, recognized by multiple aliases such as The Dukes, Cloaked Ursa, CozyBear, Nobelium, and UNC2452, operates within the realm of cyber intrusions. APT29 is affiliated with the Foreign Intelligence Service of the Russian Federation (SVR RF), signifying a state-sponsored origin from Russia. The group's pursuits are rooted in political and geopolitical motivations, focusing on intelligence gathering and the realm of cyber espionage.

Under the umbrella of the Duke malware family lies an expansive array of threatening software, encompassing various types like system backdoors, loaders, infostealers, process disruptors and more.

The most recent instance of an attack campaign associated with The Dukes group took place in 2023. This campaign involved the dissemination of malicious PDF documents that camouflaged themselves as diplomatic invitations originating from the German embassy. Notably, this email campaign targeted the Foreign Affairs ministries of nations aligned with NATO, underscoring the group's strategic targeting and potential geopolitical implications.

The Cybercriminals Created Specialized Duke Malware Threats

The APT actor known as The Dukes has maintained its operational presence since at least 2008, exhibiting an extensive range of tools over the course of these years. Presented below is a chronological overview of some of the more prominent toolsets employed by this particular threat actor.

PinchDuke: This toolkit features a collection of loaders designed to introduce additional threatening elements or programs into compromised systems. It encompasses a file grabber intended for exfiltration and a credential stealer. The latter targets various data sources, including Microsoft Authenticator (passport.net), email clients (Mail.ru, Mozilla Thunderbird, Outlook, The Bat!, Yahoo Mail), browsers (Internet Explorer, Mozilla Firefox, Netscape Navigator), and messaging services (Google Talk), among others.

GeminiDuke: With its loader capabilities and multiple mechanisms to ensure persistence, GeminiDuke also boasts functionalities as a data stealer, predominantly focused on collecting device configuration data. This information includes user accounts, installed drivers and software, running processes, startup programs and services, network settings, specific folders and files, and recently accessed programs and files.

CosmicDuke (also recognized as BotgenStudios, NemesisGemina, and Tinybaron): Comprising several loaders, a range of components to ensure persistence and a module for privilege escalation, CosmicDuke primarily revolves around its information-stealing capabilities. It can exfiltrate files with specific extensions, export cryptographic certificates (including private keys), capture screenshots, record keystrokes (keylogging), retrieve log-in credentials from browsers, email clients, and messengers, as well as collect content from the clipboard (copy-paste buffer).

MiniDuke: This malware comes in various iterations, encompassing a loader, downloader, and backdoor functionalities. MiniDuke is primarily employed to either prepare a system for subsequent infections or facilitate the progression of such infections.

The Duke Malware Family Continues to Expand

Researchers have managed to identify several more threats belonging to the Duke malware family and being used as part of the malicious arsenal of APT29.

CozyDuke, also recognized as Cozer, CozyBear, CozyCar, and EuroAPT, functions primarily as a backdoor. Its core purpose is to establish an entry point, often referred to as a 'backdoor,' for subsequent infections, particularly its own modules. To achieve this, it employs a dropper in conjunction with multiple modules designed to ensure persistence.

Among its components are those dedicated to extracting system data, executing fundamental Cmd.exe commands, capturing screenshots, and pilfering log-in credentials. Remarkably, CozyDuke also possesses the capability to infiltrate and execute other files, implying the potential to facilitate a broad spectrum of malware infections.

OnionDuke presents itself as modular malware with a diverse set of possible configurations. Armed with loader and dropper capabilities, this program introduces an array of information-stealing modules, including those focused on harvesting passwords and other sensitive data. Additionally, it features a component geared towards launching Distributed Denial-of-Service (DDoS) attacks. Another module is devised to exploit compromised social networking accounts for initiating spam campaigns, potentially amplifying the reach of the infection.

SeaDuke, also referred to as SeaDaddy and SeaDask, stands out as a cross-platform backdoor designed to operate on both Windows and Linux systems. Despite its relative simplicity, SeaDuke serves as a fundamental toolset, primarily oriented towards executing infiltrated files to propagate the infection.

HammerDuke, known alternately as HAMMERTOSS and Netduke, emerges as a straightforward backdoor. Its discernible usage has been exclusively noted as a secondary backdoor that follows a CozyDuke infection.

CloudDuke also acknowledged as CloudLook and MiniDionis, manifests in two backdoor versions. This malware encompasses downloader and loader functionalities, primarily directed at fetching and installing payloads from predefined locations, whether from the internet or a Microsoft OneDrive account.

It's crucial to underline that the prospect of The Dukes APT actor introducing new malware toolsets remains considerable unless their operations come to a halt. The nature of their activities suggests a sustained potential for innovation in their strategies and techniques.