MiniDuke Malware spreads via Fake Ukraine-related Documents
A year back, Security Researchers from the Antivirus firm Kaspersky found a sophisticated piece of malware which they dubbed as ‘MiniDuke’, designed specifically to collect and steal strategic insights and highly protected political information, which is a subject to states’ security.
Now, once again the MiniDuke virus is spreading in wild via an innocent looking but fake PDF documents related to Ukraine, while the researcher at F-Secure were browsing the set of extracted decoy documents from a large batch of potential MiniDuke Samples.
"This is interesting considering the current crisis in the area," Mikko Hypponen, the CTO of security research firm F-Secure, wrote on Tuesday.
The Hacker News reported a year ago about the malicious malware that uses an exploit (CVE-2013-0640) of the famous and actively used Adobe Reader. MiniDuke malware written in assembly language with its tiny file size (20KB), and uses hijacked Twitter accounts for Command & Control and incase twitter accounts are not active, the malware located backup control channels via Google searches.
The malware consists of three components: PDF file, MiniDuke Main and Payload. Payload is dropped after the Adobe process gets exploited by opening the malicious PDF file, which refers to the topics including human rights, Ukraine's foreign policy, and NATO membership plans.
The infected machine then use Twitter or Google to collect encrypted instructions showing them where to report for new backdoors and as soon as infected system connects the command servers, it starts receiving encrypted backdoors through GIF image files. Once installed, it may copy, remove, delete files, create database, stop the processes and download the new ones, that may also open backdoor access to other Trojans.
F-Secure also provided screenshots of several Ukraine-related documents that were more likely twisted from already existing and real public documents.
F-Secure found a bogus document signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine. “The letter is addressed to the heads of foreign diplomatic institutions in Ukraine.” When the researcher translated the document, it comes out to be a note regarding “the 100th year anniversary of the 1st World War.”
This also signalized that the attackers have somehow access to the Ukrainian Ministry of Foreign Affairs. “We don't know where the attacker got this decoy file from,” Hypponen wrote. “We don't know who was targeted by these attacks. We don't know who's behind these attacks. What we do know is that all these attacks used the CVE-2013-0640 vulnerability and dropped the same backdoor (compilation date 2013-02-21).”
The authors of MiniDuke made the malware familiar with the work principles of antivirus software which makes it different from the other viruses. The malware turns unique for each system and contains a backdoor that allows it to avoid system analytics instruments, and in case the virus is detected, the backdoor stops malicious effects and makes it disappear for the system.
MiniDuke Malware previously attacked government entities in Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, United Kingdom, United States, including Ukraine.