{"id":14975,"date":"2014-07-04T15:36:34","date_gmt":"2014-07-04T15:36:34","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2189"},"modified":"2021-07-23T03:44:56","modified_gmt":"2021-07-23T07:44:56","slug":"miniduke-is-back","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/miniduke-is-back\/14975\/","title":{"rendered":"Back with authority: Miniduke re-ignites"},"content":{"rendered":"

Kaspersky Lab experts reported re-activation of one of the most unusual APT campaigns \u2013 Miniduke. It was exposed<\/a> by researchers at Kaspersky Lab and CrySys Lab in February 2013; after which it had gone dormant for almost a year to get some sort of re-ignition in recent time. The scope of the new wave of attacks appears to be expanded: while the initial Miniduke operations primarily targeted government organizations in Europe, this time its new version also dubbed CosmicDuke is targeting all kinds of organizations involved with government, diplomacy, energy, telecommunications, and military contracting. Strange thing is that it also keeps the close watch on steroids peddlers online either. It\u2019s unclear why. Probably actors behind Miniduke could be selling out their services to some outside special interest groups, but it\u2019s a mere guess, no evidence for it right now. Anyway, the list of Miniduke\u2019s targets suggests that people behind it gather a wide scope of political and business data from the attacked parties. Most likely, from the supply chains too, since it\u2019s one of the weaker sides of any large entity: it may have a stone-solid cyberdefenses on its own, but it does not control IT infrastructures of its suppliers, which often become prey for the \u201cdata hunters\u201d.<\/p>\n

Miniduke is back, and it\u2019s \u201cTiny\u201d and \u201cCosmic\u201d too.<\/p>Tweet<\/a><\/blockquote>\n

Currently, campaign targets countries all over the world, including Austria, Belgium, France Germany, Hungary, Netherlands, Spain, Ukraine, and the United States.\u00a0 An analysis of one individual server illustrated specific infections in Georgia, Russia, the United Kingdom, Kazakhstan, India, Belarus, Ukraine, Cyprus, and Lithuania. The command and control servers are actively and increasingly running scans of vulnerable systems in Azerbaijan, Ukraine, and Greece, suggesting that the people behind the campaign are expanding their area of operations. As of its origin, according to Kaspersky Lab researchers, various malware components contain certain strings of code with Cyrillic characters and even links to mail.ru free Russian e-mail service and mirea.ru, which is an URL of Moscow State Institute of Radio Engineering, Electronics and Automation.<\/p>\n

Miniduke is rather unique among other APT campaigns; at the time of its initial discovery it used a custom backdoor, written in the \u201crelatively outdated\u201d Assembler programming language; had a peculiar C&C infrastructure with multiple redundancy paths including Twitter accounts, and a form of steganography in which the developers stealthily transferred their updated executables in .gif files. Most of these elements are still in use, but new features arrived, large part of them apparently dedicated to throwing off researchers (to, let us say, a limited success, as we can see).<\/p>\n

Among these \u201cfox tail\u201d features are draining computation resources to limit the efficacy of antivirus engines, a custom obfuscator, and heavy use of encryption and compression based on the RC4 and LZRW algorithms. The developers also built a new, custom backdoor using a tool called BotGenStudio; this backdoor (also nicknamed CosmicDuke or TinyBaron) gives the malware capacity to steal various types of data and has flexibility to enable\/disable components when the bot is constructed.<\/p>\n

New Miniduke adds a handful of \u201cfox tail\u201d feature to throw off researchers.<\/p>Tweet<\/a><\/blockquote>\n

These components can be divided into 3 groups \u2013 Persistence (for instance, malware is capable of starting via Windows Task Scheduler at specific time and\/or launching itself along with the activations of a screensaver, when the user is away), Reconnaissance (this is related to what files the malware steals; aside from copying and sending files with specific extensions, it also harvests passwords, history, general network information, address books, and other sensitive data; screenshots are made every 5 minutes or so) and Exfiltration of data. The malware implements several methods to exfiltrate information, including uploading data via FTP and three variants of HTTP-based communication mechanisms. A number of different HTTP connectors act as helpers, trying various methods in case one of them is restricted by local security policies or security software.<\/p>\n

Interestingly enough, malware assigns a unique codename to every infected machine, so that every victim could receive specifically tailored updated to the malware. While more technical details are available at Securelist<\/a>, it\u2019s necessary to mention a few things right here. First and foremost is Miniduke\u2019s infection vector. Last year it had been reported that Miniduke used vulnerabilities in Adobe software for primary infection \u2013 attackers sent their victims PDF with embedded exploits<\/a>. Also a web-based infection vector was reported later<\/a>. Updates to the malware are sent under the guise of GIF images. Infection requires cooperation from the end users is required: victims must open the file to view the malicious document. \"800\" This suggests that the businesses related to the supply chains of potential targets listed above should be paying especially close attention to the status of Adobe software they use. Attackers use somewhat simple but effective social engineering such as giving the malicious documents apparently relevant names that would draw interest from the attacked parties. After getting into system, malware (its new version, to be more specific) spoofs updaters for popular applications such as Java, Chrome, and Adobe, which run quietly in the background on infected machines, including file information, icons and even file size, apparently to ease suspicions from the advanced users and system administrators.<\/p>\n

The companies and organizations who may be in the scope of Miniduke actors\u2019 interest are recommended to take additional security measures, including but not limited to educating employees specifically on phishing, social engineering and malware threats, because, again, Miniduke requires users\u2019 cooperation in order to infect targeted entities.<\/p>\n","protected":false},"excerpt":{"rendered":"

Miniduke APT campaign is reactivated. The malware received a number of updates, and a large part of it is apparently intended to throw off researchers. Not exactly a successful endeavor.<\/p>\n","protected":false},"author":209,"featured_media":15776,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[499,2127],"class_list":{"0":"post-14975","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-apt","10":"tag-miniduke"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/miniduke-is-back\/14975\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/miniduke-is-back\/14975\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/miniduke-is-back\/14975\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14975","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14975"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14975\/revisions"}],"predecessor-version":[{"id":40684,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14975\/revisions\/40684"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15776"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14975"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}