“Immaterial” bot attacks visitors news resources
MiniDuke – a new piece of malware for cyber espionage in government structures around the world
“Kaspersky Lab” published a research report
the number of incidents which occurred last week and connected with another
an example of cyber espionage against government agencies and scientific
organizations around the world. During the attack, the attackers used
the combination of sophisticated malicious code “old school”
viruspositive and new advanced technologies
vulnerabilities in Adobe Reader – and all this in order to get
these geopolitical nature of the respective organizations.
The malware MiniDuke* spread through recently
discovered exploit in Adobe Reader (CVE-2013-6040). According to
studies conducted “Kaspersky Lab”
together with the Hungarian company CrySys Lab, among the victims of cyber-espionage
program MiniDuke was the state institutions of Ukraine,
Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, from the actions
cyber criminals have suffered a research Institute, two
scientific issledovatelskih center and medical facility in the U.S., as well as
research Foundation in Hungary.
“This is a very unusual cyberattack, Eugene
Kaspersky, CEO “Kaspersky Lab”.
– I remember that this style of programming in
malware was used in the late 1990s-early 2000s. Until very
it is understandable why these makers “woke up” in 10 years
and joined the “advanced” cybercriminals. These
elite malware writers of the old school is successful in creating
complex viruses now combine their skills with new techniques
care from protective technologies in order to attack the state
institutions and research organizations in different countries”.
“designed specifically for these attacks MiniDuke backdoor written in
Assembler very short time – 20 KB – adds
Eugene Kaspersky. – The combination of experience “old school”
virus writers with the latest exploits and clever social
engineering is an extremely dangerous mixture”.
In the study, experts “Kaspersky Lab”
came to the following conclusions:
* The authors MiniDuke still continue
their activity, the last time they modified the malware
February 20, 2013. For penetration into the system of victims of cyber criminals
used effective social engineering techniques by which
send out malicious PDF documents. These documents represented a
relevant and well-chosen set of fabricated content. In
particular, they contain information about the seminar on human rights
(ASEM), the data about the foreign policy of Ukraine, as well as plans of the participating countries
NATO. All these documents contain exploits, attackers 9, 10 and 11 versions
of Adobe Reader. To create these exploits was used
same tools, and with the recent attacks reported
FireEye. However MiniDuke these exploits were used
for other purposes, and contained its own malicious code.
infecting the system to disk, the victim got a small loader size
only 20 KB. It is unique for each system and contains a backdoor,
written in Assembler. In addition, he is able to elude
tools analysis system embedded in some environment, in particular
in VMWare. In case of detection of one of them suspended our backdoor
activities in order to hide its presence in the system. It says
that the malware authors have a clear idea of
the working methods of antivirus companies.
* If the target system
meets the specified requirements, the malware will be (secretly
from the user) to use Twitter to search for special tweets from
previously created accounts. These accounts were established operators
MiniDuke backdoor, and tweets from them support specific tags,
marking encrypted URLS for the backdoor. These URLS
provide access to management servers that, in turn,
ensure the execution of commands and installing backdoors on the infected
system through gifs.
* According to the analysis, it became known that
the creators of MiniDuke use dynamic reserve system
communication, also can escape from anti-virus tools
protection – if Twitter is not working or inactive accounts,
malware can use Google Search to
find encrypted links to new management servers. Once
an infected system connects to the management server, it
begins to receive encrypted through backdoors gifs that
disguised as pictures on the victim’s computer. After loading the car,
these backdoors can perform several basic actions: copy,
to move or delete files, create directories, to stop the process
and, of course, download and execute new malware.
* Backdoor communicate with two servers in Panama and Turkey
– in order to receive instructions from cyber criminals.