MiniDuke miscreants whip out old-school tricks to spy on world+dog

The '90s called... they want their malware back

Secure remote control for conventional and virtual desktops

A new strain of malware designed to spy on multiple government entities and institutions across the world has been discovered by anti-virus firm Kaspersky Lab.

MiniDuke has infected government entities in the Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think-tanks, and a healthcare provider in the US were also compromised. A prominent research organisation in Hungary was also infected with the mystery malware. An analysis of logs from command servers, suggest the malware has hit 59 unique victims in 23 countries including locations as diverse as Brazil, Israel, Germany, Lebanon, Spain, the UK and Japan.

Attacks designed to spread the malware made use of the recently discovered PDF exploit in Adobe Reader (CVE-2013-6040) to distribute MiniDuke over the past week or so, according to Kaspersky Lab researchers.

Security experts at the Russian security firm reckon MiniDuke features hallmark techniques more associated with really old-school VXers, not least because it features a backdoor written in Assembler language.

“This is a very unusual cyberattack,” said Eugene Kaspersky, founder and chief exec of Kaspersky Lab. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld."

"These elite, 'old-school' malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.

“MiniDuke’s highly customised backdoor was written in Assembler and is very small in size, being only 20KB. The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous,” he added.

Booby-trapped documents that formed the theme of the attack featured fabricated human rights seminar information (ASEM) and Ukraine’s foreign policy and NATO membership plans. These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing Adobe's sandbox in the process. The toolkit used to create these exploits were the same as those that featured in a recent attack reported by FireEye, even though these latter assaults featured a different attack payload.

The theme of the emails, and local geo-political factors, such as Russian resistance to Ukraine's proposed membership of NATO, along with use of old school techniques make it much more likely that the malware was brewed up in Russia rather than China, in the opinion of El Reg's security desk, at least.

The attackers left a small clue in the code, in the form of the number 666 (0x29A hex) before one of the decryption subroutines, indicating an interest in either the Book of Revelations or the works of Iron Maiden.

“MiniDuke is using the same but slightly modified PDF exploit which was involved in the recent attack reported by FireEye," Vitaly Kamluk, chief malware expert at Kaspersky Lab told El Reg. "However, it is not related to any known platforms used in cyber-espionage campaigns (such as 'Tilded' platform in case of Stuxnet and Duqu or Flame platform).

"Some of the elements remind us of cyber-espionage tools such as Duqu or Red October, such as the minimalistic approach, hacked servers, encrypted channels and also the typology of the victims. The amount of high profile victims in this attack is also notable and puts it on the same level with other advanced campaigns such as Red October."

All this and Twitter functionality, too

Kaspersky Lab’s experts, in partnership with CrySys Lab, have analysed the attacks and published preliminary findings suggesting whoever created the malware was skilled and well-aware of the techniques used by anti-virus analysts. For one thing, the malware programmed to avoid analysis by a hardcoded set of tools in certain environments like VMware by laying dormant if it finds itself running in a virtualised environment.

If the target’s system meets the pre-defined requirements, the malware will use surreptitiously use Twitter to start looking for specific tweets from pre-made accounts, providing the encrypted locations of URLs associated with the spyware botnet's command and control channels. The same functionality allows to loading of additional backdoors onto compromised systems.

MiniDuke’s creators also provided a dynamic backup system. If Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next command and control node.

Once an infected system locates the C&C nodes, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim’s machine. Once they are downloaded to the machine they can download a larger backdoor that carries out several basic actions, such as copy file, move file, remove file, make directory, kill process, and, of course, download and execute new malware.

The malware backdoor connects to two servers, one in Panama and one in Turkey, to receive instructions from the attackers, according to a joint analysis of the malware by Kaspersky Lab and Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS), who previously worked with their Russian counterparts in analysing Flame, another cyber-espionage tool.

CrySyS's take on MiniDuke is here. Kaspersky's preliminary analysis - including screenshots of Twitter message and GIF files associated with the attack - can be found in screenshots on its official Securelist blog here. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story


Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.