Incident Response, Malware, TDR

MiniDuke espionage ring began earlier than first reports suggest

Researchers have now discovered an older sample of recently discovered malware used to spy on government entities and other organizations across the globe. The new findings date the exploits to at least mid-2011.

Last week, Kaspersky Lab and the cryptography research lab at the Budapest University of Technology and Economics (called CrySys Lab) revealed the first details about MiniDuke, customized malware that takes advantage of a now-patched Adobe Reader vulnerability (CVE-2013-6040), affecting versions 9 through 11 of the software.

Kaspersky and CrySys Lab found that the underground network wielding MiniDuke struck 59 victims in 23 countries since 2012, including government offices in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. The group behind the threat also successfully targeted a research institute, two think tanks and a health care provider in the United States, as well as a prominent research foundation in Hungary. It is still actively spreading its malware.

On Saturday, Romanian anti-virus firm Bitdefender revealed in a blog post that an older sample of MiniDuke has turned up, leading the firm to posit that the malware has been in use since as early as June 2011.  

Kaspersky concluded that the malware is delivered to victims through malicious PDFs designed to exploit an Adobe vulnerability. Attackers use social engineering tactics to lure victims into opening the trap files, which contains fabricated human rights seminar information and other details about Ukraine aiming to become a member of the North Atlantic Treaty Organization (NATO).

Once installed on compromised machines, the malware communicates with and receives instructions from its command-and-control (C2) hub by using Twitter to find tweets with encrypted uniform resource locators (URLs). The tweets are sent from accounts set up by MiniDuke operators.

In addition, researchers found that the malware also uses Google search as a backup method of finding encrypted URLs if it could not reach them via Twitter. The firm believes that MiniDuke perpetrators have created newer strains of the malware as recently as last month.

Evidence of an older MiniDuke iteration was included in Bitdefender's blog. But the firm noted the code's upgrade, which previously had no way of interacting with C2 servers if the Twitter method failed.

On Friday, Bitdefender followed up with a blog post that provided a free malware removal tool for MiniDuke.

“The samples we have are all customized [and] polymorphized,” Bitdefender researcher Marius Tivadar wrote. “There is an encrypted part which is specifically built for each target machine – but from what we can tell, there is no modularity, like we see with Flamer and Stuxnet…It's very old-school malware, although there are some very modern touches, like the use of Twitter and Google for command-and-control purposes."

Kaspersky and CrySys Lab researchers discovered that MiniDuke connected to two servers in Turkey and Panama to receive instructions from campaign operators, though the servers could be a cover for operations elsewhere. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.