Duke Malware Comprised of Diverse Set of Malicious Tools

"Duke" serves as the general term for sets of malicious software employed by the APT29 Advanced Persistent Threat (APT) actor, also recognized as The Dukes, Cloaked Ursa, CozyBear, Nobelium, and UNC2452. APT29 is a Russian state-sponsored group affiliated with the Foreign Intelligence Service of the Russian Federation. The group is driven by political and geopolitical motives, primarily focusing on intelligence collection and cyber-espionage activities.

The Duke malware collection encompasses an extensive array of malicious software, ranging from system backdoors and loaders to data extraction tools and processes disruptors.

The most recent spam campaign associated with The Dukes group occurred in 2023 and involved the distribution of harmful PDF documents camouflaged as diplomatic invitations from the German embassy. This email campaign targeted the Foreign Affairs ministries of countries aligned with NATO.

The APT actor known as The Dukes has been active since at least 2008, showcasing a diverse assortment of tools over the years. Below is a chronological list of some of the more prominent toolsets utilized by this threat actor.

Duke's Diverse Toolkit

PinchDuke comprises a series of loaders designed to infiltrate additional malicious components or programs into compromised systems. It also encompasses a file exfiltration grabber and a credential stealer. The latter specifically targets data related to Microsoft Authenticator (passport.net), email clients (Mail.ru, Mozilla Thunderbird, Outlook, The Bat!, Yahoo Mail), browsers (Internet Explorer, Mozilla Firefox, Netscape Navigator), messaging services (Google Talk), and more.

GeminiDuke incorporates loader capabilities along with multiple mechanisms to ensure persistence. It also features stealer functionalities primarily utilized for the collection of device configuration data. Information of interest encompasses user accounts, installed drivers and software, running processes, programs and services launched during startup, network settings, specific folder and file presence, recently executed programs, opened folders and files, and more.

CosmicDuke (also known as BotgenStudios, NemesisGemina, Tinybaron) consists of several loaders, various components for persistence, and a privilege escalation module. The major portion of this malware functions as an information-stealer, with capabilities to exfiltrate files with particular extensions, export cryptographic certificates (including private keys), capture screenshots, record keystrokes (keylogging), extract login credentials (from browsers, email clients, messengers), and retrieve clipboard contents.

MiniDuke, available in multiple variants, including a loader, downloader, and backdoor, primarily prepares a system for further infection or facilitates the process.

CozyDuke (also recognized as Cozer, CozyBear, CozyCar, EuroAPT) primarily functions as a backdoor that creates a pathway for additional infections, particularly its own modules. To achieve this, it employs a dropper and multiple modules for sustaining persistence.

Other components include those for extracting system data, executing basic Cmd.exe commands, capturing screenshots, and pilfering login credentials. However, CozyDuke also has the capacity to infiltrate and execute other files, thereby potentially facilitating various forms of malware infection.

OnionDuke is modular malware offering numerous potential configurations, featuring loader and dropper capabilities. The program encompasses various information-stealing modules, including those designed for password and data retrieval. Additionally, it integrates a module for launching Distributed Denial-of-Service (DDoS) attacks and another for leveraging compromised social networking accounts in spam campaigns (potentially to expand the infection).

SeaDuke (also known as SeaDaddy, SeaDask) is a cross-platform (Windows and Linux) backdoor. Operating as a relatively straightforward toolset, its main objective is to execute infiltrated files, thereby advancing the infection process.