MiniDuke espionage ring began earlier than first reports suggest

Share this article:

Researchers have now discovered an older sample of recently discovered malware used to spy on government entities and other organizations across the globe. The new findings date the exploits to at least mid-2011.

Last week, Kaspersky Lab and the cryptography research lab at the Budapest University of Technology and Economics (called CrySys Lab) revealed the first details about MiniDuke, customized malware that takes advantage of a now-patched Adobe Reader vulnerability (CVE-2013-6040), affecting versions 9 through 11 of the software.

Kaspersky and CrySys Lab found that the underground network wielding MiniDuke struck 59 victims in 23 countries since 2012, including government offices in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. The group behind the threat also successfully targeted a research institute, two think tanks and a health care provider in the United States, as well as a prominent research foundation in Hungary. It is still actively spreading its malware.

On Saturday, Romanian anti-virus firm Bitdefender revealed in a blog post that an older sample of MiniDuke has turned up, leading the firm to posit that the malware has been in use since as early as June 2011.  

Kaspersky concluded that the malware is delivered to victims through malicious PDFs designed to exploit an Adobe vulnerability. Attackers use social engineering tactics to lure victims into opening the trap files, which contains fabricated human rights seminar information and other details about Ukraine aiming to become a member of the North Atlantic Treaty Organization (NATO).

Once installed on compromised machines, the malware communicates with and receives instructions from its command-and-control (C2) hub by using Twitter to find tweets with encrypted uniform resource locators (URLs). The tweets are sent from accounts set up by MiniDuke operators.

In addition, researchers found that the malware also uses Google search as a backup method of finding encrypted URLs if it could not reach them via Twitter. The firm believes that MiniDuke perpetrators have created newer strains of the malware as recently as last month.

Evidence of an older MiniDuke iteration was included in Bitdefender's blog. But the firm noted the code's upgrade, which previously had no way of interacting with C2 servers if the Twitter method failed.

On Friday, Bitdefender followed up with a blog post that provided a free malware removal tool for MiniDuke.

“The samples we have are all customized [and] polymorphized,” Bitdefender researcher Marius Tivadar wrote. “There is an encrypted part which is specifically built for each target machine – but from what we can tell, there is no modularity, like we see with Flamer and Stuxnet…It's very old-school malware, although there are some very modern touches, like the use of Twitter and Google for command-and-control purposes."

Kaspersky and CrySys Lab researchers discovered that MiniDuke connected to two servers in Turkey and Panama to receive instructions from campaign operators, though the servers could be a cover for operations elsewhere. 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.

Mobile device security sacrificed for productivity, study says

Mobile device security sacrificed for productivity, study says

A Ponemon Institute study, sponsored by Raytheon, revealed that employees increasingly use mobile devices for work but cut corners and circumvent security.