Wednesday, February 27, 2013
MiniDuke - a new cyber-espionage tool
During an attack used a combination of sophisticated malware "old school" virus writers and new advanced technologies for vulnerabilities in Adobe Reader - and all this in order to get the data from the geopolitical nature of the organizations.
Malicious program MiniDuke spread by a recently discovered exploit for Adobe Reader (CVE-in 2013-6040). According to a study conducted by Kaspersky Lab in cooperation with the Hungarian company CrySys Lab, among victims kibershpionskoy MiniDuke programs were state institutions of Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, the actions of cyber criminals suffered Research Institute, two scientific issledovatelskiyh center and medical facility in the United States, as well as research fund in Hungary.
"This is a very unusual cyberattack - says Evgeny Kaspersky, CEO of Kaspersky Lab". - I remember that this style of programming malware used in the late 1990's and early 2000's. Is not very clear why the virus writers 'woke up' after 10 years and joined the advanced cybercriminals. These elite malware writers of the old school are successful in creating complex viruses is their ability to combine with the new methods of avoiding security technologies in order to attack the government agencies and research organizations in different countries. "
"Designed specifically for the attacks backdoor MiniDuke written in Assembler and is extremely small, only 20 kB, - adds Kaspersky. - The combination of the experience of "old school" with the latest exploits of virus writers and clever social engineering techniques - a very dangerous mix. "
The report antivirus company said that the authors MiniDuke still continue their activities, the last time they were modified malicious program February 20, 2013. To penetrate the victim's system, cybercriminals use effective methods of social engineering to help send out malicious PDF-documents. These documents were a relevant and well-chosen set of fabricated content. In particular, they contain information about the Seminar on Human Rights (ASEM), data on the foreign policy of Ukraine, as well as plans for NATO nations. All these documents contain exploits, attacks of 9, 10 and 11 versions of Adobe Reader. To create these exploits were used the same tools as in the recent attacks reported by the company FireEye. However, in the MiniDuke these exploits were used for other purposes, and maintain their own malicious code.
When infecting a system to drive the victim got a small loader, which was only 20 kB. It is unique to each system and contains a backdoor written in Assembler. In addition, he is able to elude analysis tools, embedded in some environments, particularly in VMWare. In the event that one of these backdoor suspended its activities in order to hide its presence in the system. This suggests that the malware authors have a clear idea of the working methods of the anti-virus companies.