GeminiDuke, like PinchDuke and CosmicDuke, was designed around a core information stealer component. The malware consisted of a loader, an information stealer, and numerous persistence components. The information stealer used a mutex based around a timestamp to ensure that only one instance of the malware was running at a time. The information stealer enumerates: local user accounts, network settings, internet proxy settings, installed drivers, running processes, values of environment variables, programs that run at startup, programs previously executed by the users, programs installed in the Programs Files folder, the files and folders in the users’ home folder, the files and folders in the users’ My Documents folder, and recently accessed files, folders, and programs. The malware employs multiple persistence components similar to those included in cosmicduke. MiniDuke’s backdoor component resembles the source code behind one of GeminiDuke’s persistence modules.
No comments:
Post a Comment