Welcome!

Cognitive Computing Authors: Yeshim Deniz, Elizabeth White, Pat Romanski, Liz McMillan, Zakia Bouachraoui

News Feed Item

Kaspersky Lab Identifies 'MiniDuke', a New Malicious Program Designed for Spying on Multiple Government Entities and Institutions Across The World

ABINGDON, England, February 28, 2013 /PRNewswire/ --

New threat actors combine sophisticated "Old School" malware writing skills with newly advanced exploits in Adobe Reader to collect geopolitical intelligence from high profile targets

Today Kaspersky Lab's team of experts published a new research report that analysed a series of security incidents involving the use of the recently discovered PDF exploit in Adobe Reader (CVE-2013-6040) and a new, highly customised malicious program known as MiniDuke. The MiniDuke backdoor was used to attack multiple government entities and institutions worldwide during the past week. Kaspersky Lab's experts, in partnership with CrySys Lab, analysed the attacks in detail and published their findings.

According to Kaspersky Lab's analysis, a number of high profile targets have already been compromised by the MiniDuke attacks, including government entities in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think tanks, and healthcare provider in the United States were also compromised, as was a prominent research foundation in Hungary.

"This is a very unusual cyberattack," said Eugene Kaspersky, Founder and CEO of Kaspersky Lab. "I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld. These elite, "old school" malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries."

"MiniDuke's highly customised backdoor was written in Assembler and is very small in size, being only 20kb," added Kaspersky. The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous."

Kaspersky Lab's Primary Research Findings:

  • The MiniDuke attackers are still active at this time and have created malware as recently as February 20, 2013. To compromise victims, the attackers used extremely effective social engineering techniques, which involved sending malicious PDF documents to their targets. The PDFs were highly relevant - with well-crafted content that fabricated human rights seminar information (ASEM) and Ukraine's foreign policy and NATO membership plans. These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing its sandbox. A toolkit was used to create these exploits and it appears to be the same toolkit that was used in the recent attack reported by FireEye. However, the exploits used in the MiniDuke attacks were for different purposes and had their own customised malware.

  • Once the system is exploited, a very small downloader is dropped onto the victim's disc that's only 20kb in size. This downloader is unique per system and contains a customised backdoor written in Assembler. When loaded at system boot, the downloader uses a set of mathematical calculations to determine the computer's unique fingerprint, and in turn uses this data to uniquely encrypt its communications later. It is also programmed to avoid analysis by a hardcoded set of tools in certain environments like VMware. If it finds any of these indicators it will run idle in the environment instead of moving to another stage and exposing more of its functionality by decrypting itself further; this indicates the malware writers know exactly what antivirus and IT security professionals are doing in order to analyse and identify malware.

  • If the target's system meets the pre-defined requirements, the malware will use Twitter (unbeknownst to the user) and start looking for specific tweets from pre-made accounts. These accounts were created by MiniDuke's Command and Control (C2) operators, and the tweets maintain specific tags labeling encrypted URLs for the backdoors. These URLs provide access to the C2s, which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files.

  • Based on the analysis, it appears that MiniDuke's creators provide a dynamic backup system that also can fly under the radar. If Twitter isn't working or the accounts are down the malware can use Google Search to find the encrypted strings to the next C2. This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed.  

  • Once the infected system locates the C2, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim's machine. Once they are downloaded to the machine they can download a larger backdoor that carries out several basic actions, such as copy file, move file, remove file, make directory, kill process, and, of course, download and execute new malware.

  • The malware backdoor connects to two servers, one in Panama and one in Turkey, to receive instructions from the attackers.

Kaspersky Lab's system detects and neutralizes the MiniDuke malware, classified as HEUR:Backdoor.Win32.MiniDuke.gen and Backdoor.Win32.Miniduke. Kaspersky Lab also detects the exploits used in the PDF documents, classified as Exploit.JS.Pdfka.giy.

About Kaspersky Lab

Kaspersky Lab is the world's largest privately held vendor of endpoint protection solutions. The company is ranked among the world's top four vendors of security solutions for endpoint users*. Throughout its 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for consumers, SMBs and enterprises. The company currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at http://www.kaspersky.co.uk.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2011. The rating was published in the IDC report "Worldwide Endpoint Security 2012-2016 Forecast and 2011 Vendor Shares (IDC #235930, July 2012). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2011.

© 2013 Kaspersky Lab. The information contained herein is subject to change without notice. The only warranties for Kaspersky Lab products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Kaspersky Lab shall not be liable for technical or editorial errors or omissions contained herein.


Follow us on Twitter

http://www.twitter.com/kasperskyuk

Like us on Facebook

http://www.facebook.com/Kaspersky

Editorial contact:

Berkeley PR    
Louise Mapp    
[email protected]    
Telephone: +44(0)118-909-0909    
   
1650 Arlington Business Park    
RG7 4SA, Reading    

Kaspersky Lab UK
Ruth Knowles
[email protected]
Telephone: +44(0)871-789-1633

Milton Business Park
OX14 4RY, Oxford

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

IoT & Smart Cities Stories
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...