Threat Report: Malware, the Dukes, and how Systems become Compromised

F-Secure Labs' latest threat report takes a look at developments in last year's threat landscape, unpacks some of last year's most noteworthy security incidents, and gives readers a new analytical tool to help them understand how today's cyber threats compromise security.

Author: Adam
Date: 10.03.2016
Read Time: 6 Minutes

Download Threat Report

F-Secure Labs published their new Threat Report today. The report discusses a wide range of cyber security issues, and uses data collected by F-Secure throughout 2015 to analyze the resources attackers used, and continue to use, to compromise the security of people and companies.

While the first half of the report is largely descriptive of the overall threat landscape, the second half of the report analyzes how some of the year’s more prominent threats (including ransomware and exploit kits) were only parts of attacks. Contrary to what some might believe, cyber attacks are not just about computer viruses. Today’s hackers use different resources in multi-phased attacks, where each phase allows attackers to penetrate further and further into their target’s systems and networks.

Chain of Compromise

The Threat Report provides a user-centric model – called the Chain of Compromise (CoC) – to illustrate how attacks are broken up into different phases, and how each phase affects their potential targets. The different phases are not tied to a particular type of attack, nor a particular type of victim, making it different from models commonly employed to analyze particular threats.

This is a significant strength of the CoC. Anyone who’s a potential target can use it to see how cyber threats can cause security incidents, whether that incident be a worm infection or a data breach. The report provides some concrete examples of how to do this, including using the CoC to illustrate how the Dukes – an APT group conducting cyber espionage campaigns – use spear-phishing to manipulate their targets into exposing themselves to the Dukes’ attacks.

This video demonstrates how the Dukes use spear-phishing to incept attacks, intrude into systems, and infect targets with their CosmicDuke infostealer.

Delivering the bait in disguise”, according to F-Secure Cyber Security Advisor Erka Koivunen, is where the attack begins.

In this case, the recipient receives a forged email (a common trick used by cyber criminals, by the way). By falsifying the information people see in the “from” field, it’s simple for attackers to trick their targets into thinking they’re receiving an email from one person, when it was actually sent by someone else.

This is one of the ways attackers such as the Dukes accomplish the Inception phase of an attack. Once the recipient opens the email (or takes the bait, if you’d like), they’ve begun exposing themselves to the threat – the first step in becoming compromised. Now it’s a matter of the attacker convincing the recipient to invite them.

Decoys are designed to grab your attention,” says Erka.





The email includes an attachment created specifically to be appealing for the intended recipients. In this case, the content in the attachment is a decoy created to distract and misdirect recipients from the true purpose of the document – to run malicious code on the target’s system.

Attackers using spear-phishing emails have specific targets in mind, which makes it easy for them to create content tailored for the recipients’ interests, work, or anything else that will make the content more appealing for their targets. This is the key to social engineering: attackers want their targets to engage with them, just like digital marketers and advertisers try to create messages that encourage customers to click online ads.

You can see this in the video. Both the email subject and the beginning of the attached doc signal to readers that the content is about EU sanctioning Russia over the Ukraine. Information like this would be relevant for a wide range of people working in positions related to politics or international affairs – the exact type of people targeted by the Dukes. We’ve seen similar tactics used over and over again in more commoditized attacks as well.

Claiming the information to be restricted (in the top right-hand corner of the attachment) completely justifies why it’s hidden, and why people need to enable macros to get the information. Plus, the idea of seeing restricted content is almost too enticing to resist for a recipient that may not normally have access to such sensitive information.

People unfamiliar with how exploits and macro trojans work (see the Threat Report for more information on this) are unlikely to realize this engagement is what attackers need to compromise systems. As you can see in the video, enabling the content does more than just let the recipient read the rest of the document. It enables the Dukes to access the recipient’s system (notice the .tmp process beginning). Executing the malicious code hidden in the document allows the attacker to achieve the Intrusion phase of the compromise, leaving them free to proceed to the Infection phase.

Once the exploit activates, it’s basically game over,” according to Erka.





After the recipient exposes himself or herself, and the attack successfully accesses the system, the CosmicDuke infection takes hold. As the video shows, a .tmp process begins running while the user reads through the document. CosmicDuke is essentially an infostealer, although it comes packed with other components giving it additional capabilities. It steals information using a variety of means, including logging keystrokes, taking screenshots, and exporting decryption keys.

Once this Infection phase is complete, the attacker is now positioned to make the compromise worse (although this is not shown in the video). CosmicDuke has persistence components that allow it remain in systems and have new functionalities added by attackers, allowing them to penetrate deeper into systems, and even proliferate through a network or networks.

So where does that leave targets?

It means trouble if they don’t do something,” says Erka.





Awareness of these issues need to be spread throughout companies. Businesses are lucrative targets for spear-phishing campaigns, so IT admins and management need to prepare their workforce for receiving these emails from APT groups, cyber criminals, and a range of other actors.

According to the Threat Report, macro malware is making a comeback, so companies should instruct their workforce that enabling macros should be seen as a red flag.

“Attackers are counting on finding employees with bad habits, and enabling macros is basically someone letting their guard down,” says Erka. “If companies don’t want people to ‘click to enable’ out of habit, IT admins should try to eliminate the use of macros within a company, as that will make receiving docs with macros an abnormal event for people. If macros can’t be eliminated from a company’s work, then IT admins should disable all but signed macros, to make sure they don’t come from an untrusted source.”

You can download the Threat Report below to learn more about some of 2015’s most prominent threats, or check out this blog post for more information.

Post Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s