Back with authority: Miniduke re-ignites

Miniduke APT campaign is reactivated. The malware received a number of updates, and a large part of it is apparently intended to throw off researchers. Not exactly a successful endeavor.

Kaspersky Lab experts reported re-activation of one of the most unusual APT campaigns – Miniduke. It was exposed by researchers at Kaspersky Lab and CrySys Lab in February 2013; after which it had gone dormant for almost a year to get some sort of re-ignition in recent time. The scope of the new wave of attacks appears to be expanded: while the initial Miniduke operations primarily targeted government organizations in Europe, this time its new version also dubbed CosmicDuke is targeting all kinds of organizations involved with government, diplomacy, energy, telecommunications, and military contracting. Strange thing is that it also keeps the close watch on steroids peddlers online either. It’s unclear why. Probably actors behind Miniduke could be selling out their services to some outside special interest groups, but it’s a mere guess, no evidence for it right now. Anyway, the list of Miniduke’s targets suggests that people behind it gather a wide scope of political and business data from the attacked parties. Most likely, from the supply chains too, since it’s one of the weaker sides of any large entity: it may have a stone-solid cyberdefenses on its own, but it does not control IT infrastructures of its suppliers, which often become prey for the “data hunters”.

Currently, campaign targets countries all over the world, including Austria, Belgium, France Germany, Hungary, Netherlands, Spain, Ukraine, and the United States.  An analysis of one individual server illustrated specific infections in Georgia, Russia, the United Kingdom, Kazakhstan, India, Belarus, Ukraine, Cyprus, and Lithuania. The command and control servers are actively and increasingly running scans of vulnerable systems in Azerbaijan, Ukraine, and Greece, suggesting that the people behind the campaign are expanding their area of operations. As of its origin, according to Kaspersky Lab researchers, various malware components contain certain strings of code with Cyrillic characters and even links to free Russian e-mail service and, which is an URL of Moscow State Institute of Radio Engineering, Electronics and Automation.

Miniduke is rather unique among other APT campaigns; at the time of its initial discovery it used a custom backdoor, written in the “relatively outdated” Assembler programming language; had a peculiar C&C infrastructure with multiple redundancy paths including Twitter accounts, and a form of steganography in which the developers stealthily transferred their updated executables in .gif files. Most of these elements are still in use, but new features arrived, large part of them apparently dedicated to throwing off researchers (to, let us say, a limited success, as we can see).

Among these “fox tail” features are draining computation resources to limit the efficacy of antivirus engines, a custom obfuscator, and heavy use of encryption and compression based on the RC4 and LZRW algorithms. The developers also built a new, custom backdoor using a tool called BotGenStudio; this backdoor (also nicknamed CosmicDuke or TinyBaron) gives the malware capacity to steal various types of data and has flexibility to enable/disable components when the bot is constructed.

These components can be divided into 3 groups – Persistence (for instance, malware is capable of starting via Windows Task Scheduler at specific time and/or launching itself along with the activations of a screensaver, when the user is away), Reconnaissance (this is related to what files the malware steals; aside from copying and sending files with specific extensions, it also harvests passwords, history, general network information, address books, and other sensitive data; screenshots are made every 5 minutes or so) and Exfiltration of data. The malware implements several methods to exfiltrate information, including uploading data via FTP and three variants of HTTP-based communication mechanisms. A number of different HTTP connectors act as helpers, trying various methods in case one of them is restricted by local security policies or security software.

Interestingly enough, malware assigns a unique codename to every infected machine, so that every victim could receive specifically tailored updated to the malware. While more technical details are available at Securelist, it’s necessary to mention a few things right here. First and foremost is Miniduke’s infection vector. Last year it had been reported that Miniduke used vulnerabilities in Adobe software for primary infection – attackers sent their victims PDF with embedded exploits. Also a web-based infection vector was reported later. Updates to the malware are sent under the guise of GIF images. Infection requires cooperation from the end users is required: victims must open the file to view the malicious document. 800 This suggests that the businesses related to the supply chains of potential targets listed above should be paying especially close attention to the status of Adobe software they use. Attackers use somewhat simple but effective social engineering such as giving the malicious documents apparently relevant names that would draw interest from the attacked parties. After getting into system, malware (its new version, to be more specific) spoofs updaters for popular applications such as Java, Chrome, and Adobe, which run quietly in the background on infected machines, including file information, icons and even file size, apparently to ease suspicions from the advanced users and system administrators.

The companies and organizations who may be in the scope of Miniduke actors’ interest are recommended to take additional security measures, including but not limited to educating employees specifically on phishing, social engineering and malware threats, because, again, Miniduke requires users’ cooperation in order to infect targeted entities.