Kaspersky Lab’s team of experts have published a research report that analyzed a series of security incidents involving the PDF exploit in Adobe Reader (CVE-2013-6040) and the highly customized malware program known as MiniDuke.
MiniDuke has been used as a backdoor to attack multiple government entities and institutions worldwide during the past week. Kaspersky Lab has partnered with CrySys Lab to analyze the attacks in detail and published their findings. According to their analysis, several high profile targets have been compromised already, including several European government entities in the Ukraine, Belgium, Portugal, Romania, the Czech Republic and the Republic of Ireland. Several other targets were also compromised, including a research institute, two think tanks and a healthcare provider in the United States, and a prominent research foundation based out of Hungary.
“This is a very unusual cyberattack,” said Eugene Kaspersky, Founder and CEO of Kaspersky Lab. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld. These elite, ‘old school’ malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.”
“MiniDuke’s highly customized backdoor was written in Assembler and is very small in size, being only 20 KB,” added Kaspersky. “The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous.”
The attackers behind MiniDuke are still active, and have created new malware in addition to MiniDuke. The attackers have sent PDF documents to their targets which were infected with malware. The PDFs are well-written, having content that is of interest to their targets, and are rigged with exploits that attack Adobe Reader 9, 10 and 11, bypassing the sandbox. A toolkit was also used to create these exploits, and it appears to also be the same toolkit that was used in the recent attack reported by FireEye. However, the exploits used in the MiniDuke attacks were for different purposes and had their own customized malware.
Once the system has been exploited, a small downloader is dropped onto the victim’s disc that is only 20 KB in size. This downloader is unique for each system it affects and contains a customized backdoor written in Assembler. When it is loaded when a system is booted, the downloader uses a set of mathematical calculations to determine the computer’s unique fingerprint, and uses this data to uniquely encrypt its communications at a later date.
Anti-virus programs also have a hard time catching MiniDuke, because it is programmed to avoid analysis by a hard-coded set of tools in certain environments such as Vmware. If it is detected by any anti-virus software, it will go idle instead of moving to another stage. If it moves to another stage, it will expose its functionality by decrypting itself further. The malware writers are well aware of the steps the anti-virus and IT security professionals are doing to analyze and identify MiniDuke.
MiniDuke will also use Twitter and start looking for specific tweets from pre-made accounts, which were made by MiniDuke’s Command and Control (C2) operators, and the tweets maintain specific tags labeling encrypted URLs for the backdoors. These URLs provide access to the C2s, which will then provide potential commands and encrypted transfers of more backdoors onto the system via GIF files. It also appears that MiniDuke’s creators have also made a dynamic backup system that can also avoid detection by anti-virus software. MiniDuke can also make use of Google Search to find the encrypted strings. This model is flexible and can enable the MiniDuke operators to change how their backdoors retrieve further commands or malicious code. It will also obfuscate itself within GIF files and pose as pictures on the victim’s machine, and when it is downloaded onto the victim’s machine, a larger backdoor can also carry out actions such as copying, moving, and removing files, making new directories, killing processes, and, of course, download and execute new malware.
To read the full research report by Kaspersky Lab and the recommendations for protecting against MiniDuke attacks, please visit Securelist.
To read CrySys Lab’s report, please visit the following page.