MiniDuke Malware Targets Government Organizations

https://i0.wp.com/i.ensonhaber.com/resimler/diger/esh2920_7.jpgSecurity researchers have uncovered a highly-customized piece of malware that has been leveraging a recently patched exploit in Adobe Reader.

Dubbed MiniDuke, the backdoor was spotted in the past week targeting government institutions and organizations worldwide. In cooperation with CrySys Lab, researchers at Kaspersky Lab analyzed the attack and discovered a number of high-profile targets in the government sector had been compromised in countries such as the Ukraine, Belgium, Ireland Portugal, Romania and the Czech Republic. Two think-tanks and a healthcare provider in the U.S. were also compromised, as was a research foundation in Hungary.

“This is a very unusual cyberattack,” said Eugene Kaspersky, CEO of Kaspersky Lab, in a statement.

“MiniDuke’s highly customized backdoor was written in Assembler and is very small in size, being only 20kb,” he explained. “This type of compact – yet highly sophisticated – malware was often written in Assembler and was very common back in the days of the VX group “29A”, but is rarely seen nowadays.”

To compromise the victims, the attackers relied on social engineering, sending the victims malicious PDF files that often involved fake content related to human rights seminar information, Ukraine’s foreign policy and NATO membership plans. These PDF files were rigged with exploits attacking Adobe Reader versions 11 and 10, and were capable of bypassing Adobe Reader’s sandbox.

Once on the system, a small downloader is dropped onto disc that is only 20 KBs in size. According to Kaspersky Lab, when the library is loaded, the downloader uses a set of mathematical calculations to determine the computer’s configuration. This information is in turn used to uniquely encrypt future communications.

“If the target system meets the pre-defined requirements, the malware will use Twitter (unbeknownst to the user) and start looking for specific tweets from pre-made accounts,” according to a blog post by Kaspersky Lab’s Global Research & Analysis Team (GReAT). “These accounts were created by MiniDuke’s Command and Control (C2) operators and the tweets maintain specific tags labeling encrypted URLs for the backdoors.”

These URLs provide access to C2s, which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files, according to the team.

“Based on the analysis, it appears that the MiniDuke’s creators provide a dynamic backup system that also can fly under the radar – if Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next C2,” the researchers blogged. “This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed.”

Once the GIF files are downloaded onto the machine, they can carry out a number of malicious activities, including copying and moving files and downloading new malware.

“I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s,” Eugene Kaspersky noted.

“The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous,” he said.

via MiniDuke Malware Targets Government Organizations | SecurityWeek.Com.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: