The Story Behind CosmicDuke presented at t2InfoSecCon 2014

by Timo Hirvonen,

Summary : In early 2013, the MiniDuke malware was discovered in use in a series of attacks against NATO and European government agencies. While investigating MiniDuke samples in April 2014, we noticed that the same loader component was used to load a variant of Cosmu infostealer family. This was the first and still the only malware that we have seen to share code with MiniDuke. We decided to name the samples showing this amalgamation of MiniDuke loader and Cosmu-derived payload CosmicDuke.
This presentation tells the story behind our journey from the discovery of the first CosmicDuke sample to the release of our analysis report. We explain how we found the initial sample and what kind of information and tools we used to hunt for more samples. In the beginning we were able to find samples only of the loader but eventually we discovered also droppers and even PDF documents with exploits. We will demonstrate a tool that we wrote to extract the server configuration from CosmicDuke samples, and also a high tech big data metadata database for storing our analysis results. We will point out some interesting details of CosmicDuke code that have not been published yet. Since the whole analysis process was a learning experience for us, we will openly share our learnings (read: mistakes) throughout the presentation. The presentation will include snippets from our IRC logs and emails to show some of the wild theories and intriguing questions we had down the road.
Our analysis effort had one big, overarching question: how strong is the connection to MiniDuke? That question was answered, along with some questions about the victims, when the release of our whitepaper inspired others to release their findings. We will conclude the presentation by looking at the CosmicDuke sample groups we were able to identify and discuss the most likely explanation behind these three groups that seem disturbingly disparate but are clearly written by the same people.
Timo Hirvonen, Senior Researcher for the Security Response Team, has been working closely with F-Secure's proprietary behavior-based DeepGuard technology for four years. Timo is an expert in exploit analysis with an emphasis in malicious Java, Flash, and PDF files. Timo has been enjoying the sunny California and working at the F-Secure North America HQ since September 2013. In addition to his 3½ t2 talks, Timo has presented at Black Hat USA 2014, Microsoft Digital Crimes Consortium 2014, CARO 2013, and Scandinavian Cybercrime Conference 2013. Timo's mission is to keep the good guys safe by studying the latest tricks the bad guys use.

Timo Hirvonen: Timo Hirvonen is working for F-Secure Corporation as an Anti-Malware Analyst. Prior to joining F-Secure in July 2010, he worked for the leading data erasure company Blancco. Timo considers winning the t2'09 challenge his greatest achievement so far and also one of the most remarkable things that have ever happened to him. In his free time he enjoys cycling, playing piano and listening to jazz.