The MiniDuke backdoor was used to attack multiple government entities and institutions worldwide during the past week. Kaspersky Labís experts, in partnership with CrySys Lab, analyzed the attacks in detail and published their findings.
According to Kaspersky Labís analysis, a number of high profile targets have already been compromised by the MiniDuke attacks, including government entities in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think tanks, and healthcare provider in the United States were also compromised, as was a prominent research foundation in Hungary.
ďThis is a very unusual cyberattack,Ē said Eugene Kaspersky, Founder and CEO of Kaspersky Lab. ďI remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld. These elite, 'old school' malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.Ē
MiniDukeís highly customized backdoor was written in Assembler and is very small in size, being only 20kb,Ē added Kaspersky. ďThe combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous.Ē
The MiniDuke attackers are still active at this time and have created malware as recently as February 20, 2013. To compromise victims, the attackers used extremely effective social engineering techniques, which involved sending malicious PDF documents to their targets. The PDFs were highly relevant - with well-crafted content that fabricated human rights seminar information (ASEM) and Ukraineís foreign policy and NATO membership plans. These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing its sandbox. A toolkit was used to create these exploits and it appears to be the same toolkit that was used in the recent attack reported by FireEye. However, the exploits used in the MiniDuke attacks were for different purposes and had their own customized malware.
Once the system is exploited, a very small downloader is dropped onto the victimís disc thatís only 20kb in size. This downloader is unique per system and contains a customized backdoor written in Assembler. When loaded at system boot, the downloader uses a set of mathematical calculations to determine the computerís unique fingerprint, and in turn uses this data to uniquely encrypt its communications later. It is also programmed to avoid analysis by a hardcoded set of tools in certain environments like VMware. If it finds any of these indicators it will run idle in the environment instead of moving to another stage and exposing more of its functionality by decrypting itself further; this indicates the malware writers know exactly what antivirus and IT security professionals are doing in order to analyze and identify malware.
If the targetís system meets the pre-defined requirements, the malware will use Twitter (unbeknownst to the user) and start looking for specific tweets from pre-made accounts. These accounts were created by MiniDukeís Command and Control (C2) operators, and the tweets maintain specific tags labeling encrypted URLs for the backdoors. These URLs provide access to the C2s, which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files.
Based on the analysis, it appears that MiniDukeís creators provide a dynamic backup system that also can fly under the radar. If Twitter isnít working or the accounts are down the malware can use Google Search to find the encrypted strings to the next C2. This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed.
Once the infected system locates the C2, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victimís machine. Once they are downloaded to the machine they can download a larger backdoor that carries out several basic actions, such as copy file, move file, remove file, make directory, kill process, and, of course, download and execute new malware.
The malware backdoor connects to two servers, one in Panama and one in Turkey, to receive instructions from the attackers.
For more details, consult the Kaspersky Lab's report and/or the CrySys Labís one.
To read the full research report by Kaspersky Lab and the recommendations for protecting against MiniDuke attacks, please visit Securelist.
To read CrySys Labís report, please visit the following page.