ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool CosmicDuke

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: CosmicDuke

NamesCosmicDuke
TinyBaron
BotgenStudios
NemesisGemina
CategoryMalware
TypeBackdoor, Keylogger, Info stealer, Credential stealer, Exfiltration
Description(F-Secure) The CosmicDuke toolset is designed around a main information stealer component. This information stealer is augmented by a variety of components that the toolset operators may selectively include with the main component to provide additional functionalities, such as multiple methods of establishing persistence, as well as modules that attempt to exploit privilege escalation vulnerabilities in order to execute CosmicDuke with higher privileges. CosmicDuke’s information stealing functionality includes:
• Keylogging
• Taking screenshots
• Stealing clipboard contents
• Stealing user files with file extensions that match a predefined list
• Exporting the users cryptographic certificates including private keys
• Collecting user credentials, including passwords, for a variety of popular chat and email programs as well as from web browsers

CosmicDuke may use HTTP, HTTPS, FTP or WebDav to exfiltrate the collected data to a hardcoded C&C server.
Information<https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf>
MITRE ATT&CK<https://attack.mitre.org/software/S0050/>

Last change to this tool card: 22 April 2020

Download this tool card in JSON format

All groups using tool CosmicDuke

ChangedNameCountryObserved

APT groups

 APT 29, Cozy Bear, The DukesRussia2008-2020X

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key