Kaspersky Lab has uncovered attacks on the governments of Ireland, Romania, Portugal, Belgium and the Czech Republic, along with a research foundation in Hungary, two think-tanks and a healthcare provider in the US. In all, there were 59 unique victims in 23 countries.
As for who’s behind the attacks, the evidence trail is not very well-marked. The attacking servers are based in Panama and Turkey, but the code yields no further clues.
In February, FireEye announced the discovery of an Adobe Reader zero-day exploit which is used to drop a previously unknown, advanced piece of malware. Researchers dubbed this ItaDuke because it reminded them of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Aligheri’s The Divine Comedy.
Several additional attacks since then are using the same exploit (CVE-2013-0640), which Kaspersky Lab researchers have dubbed MiniDuke. They say these are unusual incidents that suggest a new, previously unknown threat actor. Most notably, the attacks make use of social networking and Twitter.
“The MiniDuke attackers are still active at this time and have created malware as recently as February 20, 2013,” the firm noted in a blog post. “To compromise the victims, the attackers used extremely effective social engineering techniques which involved sending malicious PDF documents to their targets.”
The PDFs were highly relevant and well-crafted content that fabricated human rights seminar information (ASEM) and Ukraine’s foreign policy and NATO membership plans. These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10 and 11, bypassing its sandbox.
Once the system is exploited, a very small downloader is dropped onto the victim’s disc that’s only 20KB in size. This downloader is unique per system and contains a customized backdoor written in Assembler. When loaded at system boot, the downloader uses a set of mathematical calculations to determine the computer’s unique fingerprint, and in turn uses this data to uniquely encrypt its communications later.
If the target system meets the pre-defined requirements, the malware will use Twitter (unbeknownst to the user) and start looking for specific tweets from pre-made accounts. These accounts were created by MiniDuke’s Command and Control operators, and the tweets maintain specific tags labeling encrypted URLs for the backdoors.
These URLs provide access to the command and control servers (C&Cs), which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files.
Based on the analysis, it appears that the MiniDuke’s creators provide a dynamic backup system that also can fly under the radar – if Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next C&C. This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed.
Once the infected system locates the C&C, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim’s machine.
Once they are downloaded to the machine, they can fetch a larger backdoor which carries out the cyberespionage activities, through functions such as copy file, move file, remove file, make directory, kill process and of course, download and execute new malware and lateral movement tools.