Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

MiniDuke Malware Targets Government Organizations

Security researchers have uncovered a highly-customized piece of malware that has been leveraging a recently patched exploit in Adobe Reader.

Security researchers have uncovered a highly-customized piece of malware that has been leveraging a recently patched exploit in Adobe Reader.

Dubbed MiniDuke, the backdoor was spotted in the past week targeting government institutions and organizations worldwide. In cooperation with CrySys Lab, researchers at Kaspersky Lab analyzed the attack and discovered a number of high-profile targets in the government sector had been compromised in countries such as the Ukraine, Belgium, Ireland Portugal, Romania and the Czech Republic. Two think-tanks and a healthcare provider in the U.S. were also compromised, as was a research foundation in Hungary.

“This is a very unusual cyberattack,” said Eugene Kaspersky, CEO of Kaspersky Lab, in a statement.

“MiniDuke’s highly customized backdoor was written in Assembler and is very small in size, being only 20kb,” added Kaspersky. 

To compromise the victims, the attackers relied on social engineering, sending the victims malicious PDF files that often involved fake content related to human rights seminar information, Ukraine’s foreign policy and NATO membership plans. These PDF files were rigged with exploits attacking Adobe Reader versions 11 and 10, and were capable of bypassing Adobe Reader’s sandbox.

Once on the system, a small downloader is dropped onto disc that is only 20 KBs in size. According to Kaspersky Lab, when the library is loaded, the downloader uses a set of mathematical calculations to determine the computer’s configuration. This information is in turn used to uniquely encrypt future communications.

“If the target system meets the pre-defined requirements, the malware will use Twitter (unbeknownst to the user) and start looking for specific tweets from pre-made accounts,” according to a blog post by Kaspersky Lab’s Global Research & Analysis Team (GReAT). “These accounts were created by MiniDuke’s Command and Control (C2) operators and the tweets maintain specific tags labeling encrypted URLs for the backdoors.”

These URLs provide access to C2s, which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files, according to the team.

“Based on the analysis, it appears that the MiniDuke’s creators provide a dynamic backup system that also can fly under the radar – if Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next C2,” the researchers blogged. “This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed.”

Once the GIF files are downloaded onto the machine, they can carry out a number of malicious activities, including copying and moving files and downloading new malware.

“I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s,” Eugene Kaspersky noted.

“The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous,” he said.

*This story was updated.

Written By

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Cyberwarfare

Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...