GeminiDuke

GeminiDuke was developed and deployed around the same time as PinchDuke and CosmicDuke. Unlike its sister campaigns, the January 2009 – December 2012 GeminiDuke campaign focused on collecting system configuration information from infected hosts. Samples of the GeminiDuke malware were compiled in UTC+3 and UTC+4 (depending upon the season), which corresponds to Moscow Standard Time during Daylight Savings Time.

Like PinchDuke and CosmicDuke, GeminiDuke was designed around a core information stealer component. The malware consisted of a loader, an information stealer, and numerous persistence components. The information stealer used a mutex based around a timestamp to ensure that only one instance of the malware was running at a time. The information stealer enumerates: local user accounts, network settings, internet proxy settings, installed drivers, running processes, values of environment variables, programs that run at startup, programs previously executed by the users, programs installed in the Programs Files folder, the files and folders in the users’ home folder, the files and folders in the users’ My Documents folder, and recently accessed files, folders, and programs. The malware employs multiple persistence components similar to those included in CosmicDuke. MiniDuke’s backdoor component resembles the source code behind one of GeminiDuke’s persistence modules.

informationstealer