MiniDuke espionage ring began earlier than first reports suggest

Share this article:

Researchers have now discovered an older sample of recently discovered malware used to spy on government entities and other organizations across the globe. The new findings date the exploits to at least mid-2011.

Last week, Kaspersky Lab and the cryptography research lab at the Budapest University of Technology and Economics (called CrySys Lab) revealed the first details about MiniDuke, customized malware that takes advantage of a now-patched Adobe Reader vulnerability (CVE-2013-6040), affecting versions 9 through 11 of the software.

Kaspersky and CrySys Lab found that the underground network wielding MiniDuke struck 59 victims in 23 countries since 2012, including government offices in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. The group behind the threat also successfully targeted a research institute, two think tanks and a health care provider in the United States, as well as a prominent research foundation in Hungary. It is still actively spreading its malware.

On Saturday, Romanian anti-virus firm Bitdefender revealed in a blog post that an older sample of MiniDuke has turned up, leading the firm to posit that the malware has been in use since as early as June 2011.  

Kaspersky concluded that the malware is delivered to victims through malicious PDFs designed to exploit an Adobe vulnerability. Attackers use social engineering tactics to lure victims into opening the trap files, which contains fabricated human rights seminar information and other details about Ukraine aiming to become a member of the North Atlantic Treaty Organization (NATO).

Once installed on compromised machines, the malware communicates with and receives instructions from its command-and-control (C2) hub by using Twitter to find tweets with encrypted uniform resource locators (URLs). The tweets are sent from accounts set up by MiniDuke operators.

In addition, researchers found that the malware also uses Google search as a backup method of finding encrypted URLs if it could not reach them via Twitter. The firm believes that MiniDuke perpetrators have created newer strains of the malware as recently as last month.

Evidence of an older MiniDuke iteration was included in Bitdefender's blog. But the firm noted the code's upgrade, which previously had no way of interacting with C2 servers if the Twitter method failed.

On Friday, Bitdefender followed up with a blog post that provided a free malware removal tool for MiniDuke.

“The samples we have are all customized [and] polymorphized,” Bitdefender researcher Marius Tivadar wrote. “There is an encrypted part which is specifically built for each target machine – but from what we can tell, there is no modularity, like we see with Flamer and Stuxnet…It's very old-school malware, although there are some very modern touches, like the use of Twitter and Google for command-and-control purposes."

Kaspersky and CrySys Lab researchers discovered that MiniDuke connected to two servers in Turkey and Panama to receive instructions from campaign operators, though the servers could be a cover for operations elsewhere. 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.