Meet the malware that's targeting drug dealers


by Jimmy Nicholls| 04 July 2014

These hackers are so civilised they work regular hours as well.

Malware known as Miniduke is being targeted at drug dealers in a turn away from last year's focus on governments, according to security firm Kaspersky.

The advanced persistent threat (APT) had become less prominent after a report from the company last March, but resurfaced near the start of this year.

Kaspersky said: "While the old style Miniduke implants were used to target mostly government victims, the new style CosmicDuke implants have a somehow different typology of victims.

"The most unusual is the targeting of individuals that appear to be involved in the traffic and reselling of controlled and illegal substances, such as steroids and hormones."

Kaspersky believes the malware may be being used by Russian police to chase criminals as a form of "legal spyware" or by rival gangsters seeking to gain an edge over their competition.

Samples found by the company also indicate the attackers roughly follow a regular working week, with most activity being recorded between 6am to 4pm GMT on weekdays and only occasional overtime on weekends.

The virus relies on Twitter accounts containing a URL pointing to the command and Control (C&C) server used to send instructions to the malware, which appears as spoof applications mimicking updaters for software such as Google Chrome, Adobe Acrobat or Java.

A significant difference from last year's infection is the use of a new custom backdoor, through which it is still capable of stealing information such as passwords, address books or network information, according to the firm.

"Miniduke/CosmicDuke is capable of starting via Windows Task Scheduler, via a customized service binary that spawns a new process set in the special registry key, or is launched when the user is away and the screensaver is activated," Kaspersky said.

As well as drug dealers the virus is said to be targeting governments, military groups, the energy sector and telecoms operators in Europe, Australia and the United States.

Kaspersky believe the hackers had scanned IP ranges as far afield as Azerbaijan, Greece and Ukraine, indicating a desire to expand their operations.

Source: Company Press Release

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

777 people like this.
2106 people follow this.

Security Intelligence

Suppliers Directory

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.