F-Secure has discovered MiniDuke malware samples in the wild

Security Experts at F-Secure discovered a collection of pdf documents, that had references to Ukraine, containing MiniDuke malware samples.

MiniDuke is the name of a sophisticated cyber espionage campaign discovered more than one year ago by experts at Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security (CrySyS). The malicious code was used by unknown hackers to infect dozens of computers at government agencies across Europe exploiting a security flaw in Adobe software, the malicious Payload is dropped once the victim opens the malicious PDF file.
The malware was designed to steal sensitive information from government organizations and high profile entities, the level of sophistication and the nature of the chosen targets suggest that the attacks are part of a state-sponsored espionage campaign.
Authors of MiniDuke implemented many interesting features, it was a tiny malware (20KB) and the overall botnet was controlled by Twitter accounts used as Command & Control and located backup control channels via Google searches, in this way the attackers were able to make difficult the malware traffic detection. Another smart feature is represented by the way the attackers deploy an additional backdoor in the victim system with a GIF files that embedded the malware.
Exactly one year later security experts are still facing with MiniDuke, this time the attackers used a bogus PDF documents related to Ukraine to deceive the victims. Researchers at F-Secure made the disturbing discovery while they were analyzing a collection of document used by attackers from a large batch of potential MiniDuke Samples.
“To investigate similar cases, we have created a tool for extracting the payloads and the decoy documents from MiniDuke PDF files. With this tool we were able to process a large batch of potential MiniDuke samples last week. While browsing the set of extracted decoy documents, we noticed several ones that had references to Ukraine. This is interesting considering the current crisis in the area.” reported Mikko Hypponen, the CTO of security research firm F-Secure.

The documents explicitly refer political issues like the recent crisis in the Ukraine or NATO informative in the attempt to circumvent the victims, F-Secure reported, for example, the existence of a bogus document signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine.

“The letter is addressed to the heads of foreign diplomatic institutions in Ukraine. When translated, it’s a note regarding the 100th year anniversary of the 1st World War.” states Hypponen.

The use of such kind of documents suggests that attackers have had access to the Ukrainian Ministry of Foreign Affairs, anyway they have no problem with the language used.

We don’t know where the attacker got this decoy file from,”  “We don’t know who was targeted by these attacks. We don’t know who’s behind these attacks. What we do know is that all these attacks used the CVE-2013-0640 vulnerability and dropped the same backdoor (compilation date 2013-02-21).”

Who is behind the attack?

It’s impossible to speculate on the real nature of the attackers, the problem of attribution is hard to approach, especially when the attackers demonstrate to be able to provide high level APT with sophisticated evasion techniques.

As remarked by Hypponen during the recent TrustyCon conference there is the risk that a Government-built malware and cyber weapons will run out of control, every government could be able to make a reverse engineering of source code of malware like Miniduke and could be used by state-sponsored hackers and cyber criminals, two categories separated by a thin line.

Pierluigi Paganini

(Security Affairs –  search engine, malware)

March 4th, 2014UPDATE : “These examples were found by mining old samples. The cases above are from 2013. So far, we haven’t found Ukraine-related Miniduke samples that would have been used in 2014.” reported F-Secure.

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

9 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

13 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

18 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

21 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.