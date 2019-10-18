Infosecurity Group Websites

Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more
Latest
News

DNC Russian Hacking Group Makes a Comeback

Security researchers have uncovered new activity from the notorious Kremlin-backed APT29, or Cozy Bear, group, in an information-stealing campaign targeting foreign governments.

APT29 was pegged for the infamous cyber-attacks on the Democratic National Committee (DNC) in the run-up to the 2016 US Presidential election, which many believe helped to install Donald Trump in the White House.

However, up until now there had been little other evidence of activity from the group except from a phishing campaign in November last year.

Now ESET researchers claim to have uncovered a new operation from the group dating back to 2013, after it discovered three new malware families: PolyglotDuke, RegDuke and FatDuke.

Targets for Operation Ghost include foreign ministries in at least three different countries in Europe and a Washington DC-based embassy of a European Union country.

The vendor claimed to have discovered multiple attack techniques often used by the group, including use of Twitter and other social sites to host C&C URLs; steganography in images to hide payloads/C&C comms; and use of WMI for persistence.

In addition, the researchers found that some machines infected with PolyglotDuke and MiniDuke had been infected with CozyDuke just months earlier.

“We found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation, however, this campaign started while only a small portion of the Dukes’ arsenal was known,” explained ESET.

“In 2013, at the first known compilation date of PolyglotDuke, only MiniDuke had been documented and threat analysts were not yet aware of the importance of this threat actor. Thus, we believe Operation Ghost was run simultaneously with the other campaigns and has flown under the radar until now.”

The group’s MO is to steal credentials and move laterally through networks, sometimes using admin credentials to compromise machines. PolyglotDuke uses social sites for C&C as well as steganography; RegDuke uses Dropbox as a C&C server; MiniDuke is a second stage backdoor; and FatDuke represents the third stage, featuring functionality to steal logins and data.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Industry Calls for Standardization of CISO Role

2
News

Major Carding Forum BriansClub Suffers Data Breach

3
News

US Ordered Secret Cyber-Strike on Iran: Report

4
News

A New Strain of Malware Is Terrorizing Docker Hosts

5
News

Over 100 Million IoT Attacks Detected in 1H 2019

6
News

World’s Largest Child Exploitation Site Shut After Bitcoin Analysis

1
Blog

Security by Sector: Cyber-Criminals Seek to Exploit Automotive Manufacturing

2
News

UK Government Announces Major New Cybersecurity Partnerships

3
News

New US Privacy Bill Would Intro Jail Time for CEOs

4
News

DNC Russian Hacking Group Makes a Comeback

5
Opinion

How Secure Is Behavioral Biometrics?

6
News

A New Strain of Malware Is Terrorizing Docker Hosts

1
Webinar

The Insider's Motive: Defending Against the 7 Most Common Insider Threats

2
Webinar

#HowTo Improve Security & Efficiency for Your File Transfers

3
Webinar

Identifying and Defending Against Advanced and Automated Attacks

4
Webinar

The Persistence of Ransomware, New Variants & Better Tactics to Defend & Defeat

5
Webinar

Mobile Access: Best Practices for a Modern Security Approach

6
Webinar

Are You At Risk? Know Your Cybersecurity Posture With Security Ratings

1
Blog

Security by Sector: Study Explores Cyber-Threats Impacting the Utility Industry

2
Webinar

#HowTo Improve Security & Efficiency for Your File Transfers

3
Next-Gen

The Rise of the Security Developer

4
News

#ISWUK: Ransomware Remains Top Threat For Present and Future

5
Opinion

Why Understanding the User Experience is Essential to Good Security

6
News

Thoma Bravo to Buy Sophos Group for $3.8bn