GEMINIDUKE

GeminiDuke was developed and deployed around the same time as PinchDuke and CosmicDuke. Unlike its sister campaigns, the January 2009 – December 2012 GeminiDuke campaign focused on collecting system configuration information from infected hosts. Samples of the GeminiDuke malware were compiled in UTC+3 and UTC+4 (depending upon the season), which corresponds to Moscow Standard Time during Daylight Savings Time.

Like PinchDuke and CosmicDuke, GeminiDuke was designed around a core information stealer component. The malware consisted of a loader, an information stealer, and numerous persistence components. The information stealer used a mutex based around a timestamp to ensure that only one instance of the malware was running at a time. The information stealer enumerates: local user accounts, network settings, internet proxy settings, installed drivers, running processes, values of environment variables, programs that run at startup, programs previously executed by the users, programs installed in the Programs Files folder, the files and folders in the users’ home folder, the files and folders in the users’ My Documents folder, and recently accessed files, folders, and programs. The malware employs multiple persistence components similar to those included in CosmicDuke. MiniDuke’s backdoor component resembles the source code behind one of GeminiDuke’s persistence modules.

Type: Nation-State Sponsor

Status: Inactive

Active Since/Discovered: January 2009 – December 2012

Malware:

  • GeminiDuke – Information stealer – backdoor – Trojan
    • Loader
    • Persistence components
    • Information stealer
      • used a mutex based around a timestamp to ensure that only one instance of the malware was running at a time
      • enumerates: local user accounts, network settings, internet proxy settings, installed drivers, running processes, values of environment variables, programs that run at startup, programs previously executed by the users, programs installed in the Programs Files folder, the files and folders in the users’ home folder, the files and folders in the users’ My Documents folder, and recently accessed files, folders, and programs

IoCs:

  • Focus on collecting system configuration information
  • Samples of the malware compiled in UTC+3 and UTC+4

Unique:

  • Inspired CosmicDuke persistence components
  • Inspired MiniDuke’s Backdoor component

 

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google