Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

MiniDuke Attack Leveraged IE, Java Exploits

Researchers at Kaspersky Lab and Crysys Lab have discovered two previously-unknown infections mechanisms for MiniDuke, the cyber-espionage malware linked to attacks across the globe.

Researchers at Kaspersky Lab and Crysys Lab have discovered two previously-unknown infections mechanisms for MiniDuke, the cyber-espionage malware linked to attacks across the globe.

According to their analysis, the new infection vectors leverage vulnerabilities in Java and Internet Explorer.  Specifically, a webpage serves “JavaApplet.class”, which implements a Java exploit for CVE-2013-0422. The code of the exploit is similar to the one published in the Metasploit kit, but the inner class that disables the security manager is encoded differently – most likely to avoid detection, explained Igor Soumenkov of Kaspersky Lab in a blog.

Internet Explorer 8 users are targeted using CVE-2012-4792, which was patched in January.

“The exploits are located in separate web pages,” the researcher blogged. “Clients using Internet Explorer version 8 are served with “about.htm”, for other versions of the browser and for any other browser capable of running Java applets, the JavaScript code loads “JavaApplet.html”.”

The finding is the latest twist in the discovery of MiniDuke, which has been linked to attacks against government agencies in countries such as the Ukraine, Belgium, Ireland, Portugal, Romania and the Czech Republic. A Hungarian research foundation as well as two think-tanks and a healthcare provider in the U.S. were also compromised. Last week, researchers found that a variant of the malware dates back to at least June 2011, predating the version researchers initially found.

“It is very sophisticated in terms of coding skill and social engineering,” Razvan Stoica, communication specialist at BitDefender Labs, told SecurityWeek. “It is very simple also, in that it doesn’t have nearly as many “moving parts” as, say, Stuxnet.”

 Though the exploits mentioned above were already known and published at the time of the attack, they were still very recent and could have worked against any designated targets, Soumenkov wrote.

“Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets,” the researcher blogged. “As previously recommended, updating Windows, Java and Adobe Reader to the latest versions should provide a basic level of defense against the known MiniDuke attacks. Of course, it is possible that other unknown infection vectors exist; we will continue to monitor the situation and update the blog with new data when appropriate.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.