MiniDuke miscreants whip out old-school tricks to spy on world+dog
The '90s called... they want their malware back
A new strain of malware designed to spy on multiple government entities and institutions across the world has been discovered by anti-virus firm Kaspersky Lab.
MiniDuke has infected government entities in the Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think-tanks, and a healthcare provider in the US were also compromised. A prominent research organisation in Hungary was also infected with the mystery malware. An analysis of logs from command servers, suggest the malware has hit 59 unique victims in 23 countries including locations as diverse as Brazil, Israel, Germany, Lebanon, Spain, the UK and Japan.
Attacks designed to spread the malware made use of the recently discovered PDF exploit in Adobe Reader (CVE-2013-6040) to distribute MiniDuke over the past week or so, according to Kaspersky Lab researchers.
Security experts at the Russian security firm reckon MiniDuke features hallmark techniques more associated with really old-school VXers, not least because it features a backdoor written in Assembler language.
“This is a very unusual cyberattack,” said Eugene Kaspersky, founder and chief exec of Kaspersky Lab. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld."
"These elite, 'old-school' malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.
“MiniDuke’s highly customised backdoor was written in Assembler and is very small in size, being only 20KB. The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous,” he added.
Booby-trapped documents that formed the theme of the attack featured fabricated human rights seminar information (ASEM) and Ukraine’s foreign policy and NATO membership plans. These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing Adobe's sandbox in the process. The toolkit used to create these exploits were the same as those that featured in a recent attack reported by FireEye, even though these latter assaults featured a different attack payload.
The theme of the emails, and local geo-political factors, such as Russian resistance to Ukraine's proposed membership of NATO, along with use of old school techniques make it much more likely that the malware was brewed up in Russia rather than China, in the opinion of El Reg's security desk, at least.
The attackers left a small clue in the code, in the form of the number 666 (0x29A hex) before one of the decryption subroutines, indicating an interest in either the Book of Revelations or the works of Iron Maiden.
“MiniDuke is using the same but slightly modified PDF exploit which was involved in the recent attack reported by FireEye," Vitaly Kamluk, chief malware expert at Kaspersky Lab told El Reg. "However, it is not related to any known platforms used in cyber-espionage campaigns (such as 'Tilded' platform in case of Stuxnet and Duqu or Flame platform).
"Some of the elements remind us of cyber-espionage tools such as Duqu or Red October, such as the minimalistic approach, hacked servers, encrypted channels and also the typology of the victims. The amount of high profile victims in this attack is also notable and puts it on the same level with other advanced campaigns such as Red October."
All this and Twitter functionality, too
Kaspersky Lab’s experts, in partnership with CrySys Lab, have analysed the attacks and published preliminary findings suggesting whoever created the malware was skilled and well-aware of the techniques used by anti-virus analysts. For one thing, the malware programmed to avoid analysis by a hardcoded set of tools in certain environments like VMware by laying dormant if it finds itself running in a virtualised environment.
If the target’s system meets the pre-defined requirements, the malware will use surreptitiously use Twitter to start looking for specific tweets from pre-made accounts, providing the encrypted locations of URLs associated with the spyware botnet's command and control channels. The same functionality allows to loading of additional backdoors onto compromised systems.
MiniDuke’s creators also provided a dynamic backup system. If Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next command and control node.
Once an infected system locates the C&C nodes, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim’s machine. Once they are downloaded to the machine they can download a larger backdoor that carries out several basic actions, such as copy file, move file, remove file, make directory, kill process, and, of course, download and execute new malware.
The malware backdoor connects to two servers, one in Panama and one in Turkey, to receive instructions from the attackers, according to a joint analysis of the malware by Kaspersky Lab and Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS), who previously worked with their Russian counterparts in analysing Flame, another cyber-espionage tool.
CrySyS's take on MiniDuke is here. Kaspersky's preliminary analysis - including screenshots of Twitter message and GIF files associated with the attack - can be found in screenshots on its official Securelist blog here. ®
It's good to the Vxers getting back to writing effecent code.
Back in the day, it was some of the tightest code out there. (also video demos)
Re: A twitter client in <20KB
Of course assembler lacks security. Asembler is a _language_, security is a _design property_. Always amazed that people think that languages provide security ...
Some brief notest on ML
ML is a macro processor. Like M4 it processes any type of file. Unlike these it is not line orientated and not character based. It processes groups of characters as a group (called "atoms" in the docs). In essence it looks for patterns of them (described as "delimiters" and "arguments") and replaces whichever ones you tell it to. It will then (depending on what you tell it to do) go over the replacement text and replace any macro calls it finds (or not, if you tell it to skip over it). Atoms can be single characters including punctuation.
An m4 macro def looks like a programming language function definition and its call much like a programming language function call, sometimes with parameters.
ML is much more free format. Once it finds the first macro delimiter (IE the macro name, which can be multiple atoms) it then looks for the argument (which can also be multi atom) and the next delimiter and so on, then replaces it by the what follows "AS" in the definition (including the start and end markers, or not as the case may be).
This flexibility does mean that you need to tell it what the "skip" and "insert" atoms (1 or more characters) are to begin with. That means you can process virtually any kind of file contents. The patterns can internally repeat and things like counts of the the number of delimiters and arguments are held in internal (accessible) variables. Including setting up the insert and skip delimiters it can do an infix -> Polish notation conversion in 4 lines.
Downsides. AFAIK its 1 character variable names and the Windows version can only chew on 5 input files at at time (I/O for different OS's is described in different appendices of the user manual, which are separate files). It's flow control is more GOTO/label than anything modern (it dates from the late 60's). It's graph node notation is especially tricky to get used to and it's case sensitive on input, which is starting to look like the big low level design mistake of otherwise excellent languages and tools.
The big one is it's so flat out different from M4 you may have trouble getting your head round it. Effectively you draw a template of what it has to look for. Normally it then takes what it finds in the gaps and drops that into whatever you have defined as the output. I'd say you can come close to re-modelling virtually any language into any other with it if you can figure out how to tell it what to do with the input.
And it's interactive by default, so you can play around quite a lot.
Bottom line. Lots of opportunity for mayhem.