The PinchDuke campaign, which operated from November 2008 until summer 2010, is believed to be the first campaign of the Duke malware family. PinchDuke targeted political organizations in Georgia, Turkey, Uganda, and the United States. The PinchDuke campaigns began 11 days after President Obama’s April 5, 2008 speech concerning the deployment of missile defenses in Poland. In 2009 the PinchDuke campaign targeted the Ministry of Defense in Georgia, the ministries of foreign affairs in Turkey and Uganda, a United States foreign policy think tank, organizations associated with NATO exercises in Europe, and the Georgian Information Centre on NATO. In 2010, the group also targeted Kazakhstan, Kyrgyzstan, Azerbaijan, and Uzbekistan. The political nature of the targets suggests that the campaigns may have been state sponsored. The selection of targets closely mirrors those of the later APT28/ Sofacy campaigns, which is widely believed a Russian state sponsored threat actor.
The Uroburos rootkit is a very advanced and very sophisticated modular malware designed to infect entire networks and exfiltrate confidential data. The sophistication and flexibility of the Uroburos malware suggests that a highly skilled team, who had access to considerable resources, developed it. The significant monetary investment necessary to develop the Uroburos platform suggests that it was developed to target businesses, nation states, and intelligence agencies, rather than average citizens. Based on the exploit kit, the Uroburos group likely has a political or espionage agenda. The Uroburos malware typically infects 32-bit and 64-bit Microsoft Windows systems that belong to governments, embassies, defense industries, pharmaceutical companies, research and education facilities, and other large companies.
Like the rest of the Duke family of malware, the threat actor is attributed to Russia because error messages in the malware are written in Russian. Though many regions in Eastern Europe use Russian as their primary language, time stamps in the code suggest that the malware was developed in the same time zone as Moscow. The PinchDuke Trojan samples contain a text string that may serve as a campaign identifier to help the attackers differentiate between associated Duke malware campaigns that were run in parallel using similar exploitation kits.
The malware was delivered via phishing emails containing spoofed news articles from the BBC website or articles concerning NATO. The malware consists of multiple loaders and an information stealer trojan. The trojan is based around the source code of the information stealing malware, LdPinch, which has been available on underground forums since the early 2000s. PinchDuke’s information stealer targets system configuration files, user credentials, and user files that were created within a predefined timeframe or whose file extension corresponds to a predefined list. PinchDuke communicated with its C&C servers through HTTP(s). In early 2010, PinchDuke campaigns decreased as other Duke campaigns began. Afterwards, PinchDuke or its components were absorbed into other campaigns. Notably, its loaders were later associated with CosmicDuke and occasionally the newer malware would install PinchDuke in its entirety on a victim system as a redundancy infection.