Highly specialised MiniDuke malware targets decision makers

Written in machine code, the MiniDuke malware disguises as a harmless RSS icon

A trojan that has been named MiniDuke is thought to have been used to carry out targeted attacks on international government institutions and companies. The malware infected computers through a hole in the sandbox feature of Adobe Reader (CVE-2013-0640) that was discovered in December. The attackers used a clever approach: the bogus PDFs pretended to contain information on human rights issues and on NATO's membership plans for the Ukraine and had plausible file names.

The code that is included in the PDF file retrieves further malware from the net. Apparently, this malware is a small program of only 22KB that's written in assembly language. The malicious content was obfuscated using a polymorphic compiler that could produce a new variant of the malware every few minutes. As all trojan samples that have been found are different, a signature detection component will have no chance of identifying the malware. However, PDFs that contain the malware can be identified because they include a "@34fZ7E*p \" character string.

However, the researchers at CrySyS Lab, who discovered the trojan, and anti-virus company Kaspersky Lab have found identifying similarities in the way that the malware operates. Immediately after a successful attack, infected computers will establish a connection to Google and Twitter. Both are used to connect with the command & control servers. On Twitter, the malware uses tweets to retrieve encrypted instructions that cause additional code to be downloaded. Google's search appears to be used as a backup in case one of the Twitter accounts is blocked.

The backdoor loads an encrypted executable that disguises itself with a GIF header – to a file viewer such as IrfanView, it will look like a harmless icon. The trojan also uses the Geo IP Tool to determine the location of the computer. Based on this, selected clients receive a different variant of the trojan.

Every victim's PC is given a unique ID that allows the command & control servers to recognise it. Kaspersky says that the servers are located in Panama and Turkey. The observed malware samples retrieved malicious code from compromised servers in Germany, France, Switzerland and the US – including those of an Arabian online book store, a New Age school, a consulting firm, and a machine manufacturing association. The only perceivable similarity among the domains is that the operators don't appear to have updated their web presence for quite some time.

The reports by CrySyS Lab and Kaspersky Lab offer further details about how the malware infects its victims' computers. Kaspersky's report indicates that the attacks started in June 2012 at the latest. The command & control servers continue to be active. From the log files, the security researchers conclude that the highly specialised attack targeted 59 victims in 23 countries – including targets in Germany, Israel, Russia, the UK and the US. Government organisations were specifically targeted in Belgium, Ireland, Portugal, Romania, the Czech Republic and the Ukraine.

The originators of the attack remain unknown. According to Kaspersky's report, there are indications that the trojan was developed by members of the 29A group of virus authors, which was dissolved in 2008: the malware's source code contained the number sequence "666" – the code name of the infamous malware authors in hexadecimal notation.

(fab)