IT technology“Immaterial” bot attacks visitors news resources

MiniDuke – a new piece of malware for cyber espionage in government structures around the world

“Kaspersky Lab” published a research report

the number of incidents which occurred last week and connected with another

an example of cyber espionage against government agencies and scientific

organizations around the world. During the attack, the attackers used

the combination of sophisticated malicious code “old school”

viruspositive and new advanced technologies

vulnerabilities in Adobe Reader – and all this in order to get

these geopolitical nature of the respective organizations.

The malware MiniDuke* spread through recently

discovered exploit in Adobe Reader (CVE-2013-6040). According to

studies conducted “Kaspersky Lab”

together with the Hungarian company CrySys Lab, among the victims of cyber-espionage

program MiniDuke was the state institutions of Ukraine,

Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, from the actions

cyber criminals have suffered a research Institute, two

scientific issledovatelskih center and medical facility in the U.S., as well as

research Foundation in Hungary.

“This is a very unusual cyberattack, Eugene

Kaspersky, CEO “Kaspersky Lab”.

– I remember that this style of programming in

malware was used in the late 1990s-early 2000s. Until very

it is understandable why these makers “woke up” in 10 years

and joined the “advanced” cybercriminals. These

elite malware writers of the old school is successful in creating

complex viruses now combine their skills with new techniques

care from protective technologies in order to attack the state

institutions and research organizations in different countries”.

“designed specifically for these attacks MiniDuke backdoor written in

Assembler very short time – 20 KB – adds

Eugene Kaspersky. – The combination of experience “old school”

virus writers with the latest exploits and clever social

engineering is an extremely dangerous mixture”.

In the study, experts “Kaspersky Lab”

came to the following conclusions:

* The authors MiniDuke still continue

their activity, the last time they modified the malware

February 20, 2013. For penetration into the system of victims of cyber criminals

used effective social engineering techniques by which

send out malicious PDF documents. These documents represented a

relevant and well-chosen set of fabricated content. In

particular, they contain information about the seminar on human rights

(ASEM), the data about the foreign policy of Ukraine, as well as plans of the participating countries

NATO. All these documents contain exploits, attackers 9, 10 and 11 versions

of Adobe Reader. To create these exploits was used

same tools, and with the recent attacks reported

FireEye. However MiniDuke these exploits were used

for other purposes, and contained its own malicious code.

* When

infecting the system to disk, the victim got a small loader size

only 20 KB. It is unique for each system and contains a backdoor,

written in Assembler. In addition, he is able to elude

tools analysis system embedded in some environment, in particular

in VMWare. In case of detection of one of them suspended our backdoor

activities in order to hide its presence in the system. It says

that the malware authors have a clear idea of

the working methods of antivirus companies.

* If the target system

meets the specified requirements, the malware will be (secretly

from the user) to use Twitter to search for special tweets from

previously created accounts. These accounts were established operators

MiniDuke backdoor, and tweets from them support specific tags,

marking encrypted URLS for the backdoor. These URLS

provide access to management servers that, in turn,

ensure the execution of commands and installing backdoors on the infected

system through gifs.

* According to the analysis, it became known that

the creators of MiniDuke use dynamic reserve system

communication, also can escape from anti-virus tools

protection – if Twitter is not working or inactive accounts,

malware can use Google Search to

find encrypted links to new management servers. Once

an infected system connects to the management server, it

begins to receive encrypted through backdoors gifs that

disguised as pictures on the victim’s computer. After loading the car,

these backdoors can perform several basic actions: copy,

to move or delete files, create directories, to stop the process

and, of course, download and execute new malware.

* Backdoor communicate with two servers in Panama and Turkey

– in order to receive instructions from cyber criminals.