Security researchers have uncovered a highly-customized piece of malware that has been leveraging a recently patched exploit in Adobe Reader.
Dubbed MiniDuke, the backdoor was spotted in the past week targeting government institutions and organizations worldwide. In cooperation with CrySys Lab, researchers at Kaspersky Lab analyzed the attack and discovered a number of high-profile targets in the government sector had been compromised in countries such as the Ukraine, Belgium, Ireland Portugal, Romania and the Czech Republic. Two think-tanks and a healthcare provider in the U.S. were also compromised, as was a research foundation in Hungary.
“This is a very unusual cyberattack,” said Eugene Kaspersky, CEO of Kaspersky Lab, in a statement.
“MiniDuke’s highly customized backdoor was written in Assembler and is very small in size, being only 20kb,” added Kaspersky.
To compromise the victims, the attackers relied on social engineering, sending the victims malicious PDF files that often involved fake content related to human rights seminar information, Ukraine’s foreign policy and NATO membership plans. These PDF files were rigged with exploits attacking Adobe Reader versions 11 and 10, and were capable of bypassing Adobe Reader’s sandbox.
Once on the system, a small downloader is dropped onto disc that is only 20 KBs in size. According to Kaspersky Lab, when the library is loaded, the downloader uses a set of mathematical calculations to determine the computer’s configuration. This information is in turn used to uniquely encrypt future communications.
“If the target system meets the pre-defined requirements, the malware will use Twitter (unbeknownst to the user) and start looking for specific tweets from pre-made accounts,” according to a blog post by Kaspersky Lab’s Global Research & Analysis Team (GReAT). “These accounts were created by MiniDuke’s Command and Control (C2) operators and the tweets maintain specific tags labeling encrypted URLs for the backdoors.”
These URLs provide access to C2s, which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files, according to the team.
“Based on the analysis, it appears that the MiniDuke’s creators provide a dynamic backup system that also can fly under the radar – if Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next C2,” the researchers blogged. “This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed.”
Once the GIF files are downloaded onto the machine, they can carry out a number of malicious activities, including copying and moving files and downloading new malware.
“I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s,” Eugene Kaspersky noted.
“The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous,” he said.
*This story was updated.