MiniDuke miscreants whip out old-school tricks to spy on world+dog

The '90s called... they want their malware back

Reducing security risks from open source software

A new strain of malware designed to spy on multiple government entities and institutions across the world has been discovered by anti-virus firm Kaspersky Lab.

MiniDuke has infected government entities in the Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think-tanks, and a healthcare provider in the US were also compromised. A prominent research organisation in Hungary was also infected with the mystery malware. An analysis of logs from command servers, suggest the malware has hit 59 unique victims in 23 countries including locations as diverse as Brazil, Israel, Germany, Lebanon, Spain, the UK and Japan.

Attacks designed to spread the malware made use of the recently discovered PDF exploit in Adobe Reader (CVE-2013-6040) to distribute MiniDuke over the past week or so, according to Kaspersky Lab researchers.

Security experts at the Russian security firm reckon MiniDuke features hallmark techniques more associated with really old-school VXers, not least because it features a backdoor written in Assembler language.

“This is a very unusual cyberattack,” said Eugene Kaspersky, founder and chief exec of Kaspersky Lab. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld."

"These elite, 'old-school' malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.

“MiniDuke’s highly customised backdoor was written in Assembler and is very small in size, being only 20KB. The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous,” he added.

Booby-trapped documents that formed the theme of the attack featured fabricated human rights seminar information (ASEM) and Ukraine’s foreign policy and NATO membership plans. These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing Adobe's sandbox in the process. The toolkit used to create these exploits were the same as those that featured in a recent attack reported by FireEye, even though these latter assaults featured a different attack payload.

The theme of the emails, and local geo-political factors, such as Russian resistance to Ukraine's proposed membership of NATO, along with use of old school techniques make it much more likely that the malware was brewed up in Russia rather than China, in the opinion of El Reg's security desk, at least.

The attackers left a small clue in the code, in the form of the number 666 (0x29A hex) before one of the decryption subroutines, indicating an interest in either the Book of Revelations or the works of Iron Maiden.

“MiniDuke is using the same but slightly modified PDF exploit which was involved in the recent attack reported by FireEye," Vitaly Kamluk, chief malware expert at Kaspersky Lab told El Reg. "However, it is not related to any known platforms used in cyber-espionage campaigns (such as 'Tilded' platform in case of Stuxnet and Duqu or Flame platform).

"Some of the elements remind us of cyber-espionage tools such as Duqu or Red October, such as the minimalistic approach, hacked servers, encrypted channels and also the typology of the victims. The amount of high profile victims in this attack is also notable and puts it on the same level with other advanced campaigns such as Red October."

All this and Twitter functionality, too

Kaspersky Lab’s experts, in partnership with CrySys Lab, have analysed the attacks and published preliminary findings suggesting whoever created the malware was skilled and well-aware of the techniques used by anti-virus analysts. For one thing, the malware programmed to avoid analysis by a hardcoded set of tools in certain environments like VMware by laying dormant if it finds itself running in a virtualised environment.

If the target’s system meets the pre-defined requirements, the malware will use surreptitiously use Twitter to start looking for specific tweets from pre-made accounts, providing the encrypted locations of URLs associated with the spyware botnet's command and control channels. The same functionality allows to loading of additional backdoors onto compromised systems.

MiniDuke’s creators also provided a dynamic backup system. If Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next command and control node.

Once an infected system locates the C&C nodes, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim’s machine. Once they are downloaded to the machine they can download a larger backdoor that carries out several basic actions, such as copy file, move file, remove file, make directory, kill process, and, of course, download and execute new malware.

The malware backdoor connects to two servers, one in Panama and one in Turkey, to receive instructions from the attackers, according to a joint analysis of the malware by Kaspersky Lab and Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS), who previously worked with their Russian counterparts in analysing Flame, another cyber-espionage tool.

CrySyS's take on MiniDuke is here. Kaspersky's preliminary analysis - including screenshots of Twitter message and GIF files associated with the attack - can be found in screenshots on its official Securelist blog here. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.