MANILA, Philippines -- A new highly customized malicious program has been used specifically for spying on multiple government entities and institutions across the world.
IT security vendor Kaspersky Lab tagged the malicious program as the "MiniDuke" which combines sophisticated "old school" malware writing skills with newly advanced exploits in Adobe Reader to collect geopolitical intelligence from high profile targets.
Experts from Kaspersky Lab earlier published a new research report that analyzed a series of security incidents involving the use of the recently discovered PDF exploit in Adobe Reader (CVE-2013-6040) and the MiniDuke
The MiniDuke backdoor was used to attack multiple government entities and institutions worldwide during the past week.
Kaspersky Lab’s experts, in partnership with CrySys Lab, analyzed the attacks in detail and published their findings.
According to Kaspersky Lab’s analysis, a number of high profile targets have already been compromised by the MiniDuke attacks, including government entities in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland.
Also, a research institute, two think tanks, and healthcare provider in the United States were also compromised, the same with a prominent research foundation in Hungary.
Eugene Kaspersky, founder and CEO of Kaspersky Lab, described the action as a very unusual cyberattack.
"I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld," Kaspersky said. "These elite, 'old school' malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries."
The executive added MiniDuke’s highly customized backdoor was written in Assembler and is very small in size, being only 20kb.
"The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous," he said.
Kaspersky Lab’s primary research findings shwowed the MiniDuke attackers are still active at this time and have created malware as recently as February 20, 2013.
To compromise victims, the attackers used extremely effective social engineering techniques, which involved sending malicious PDF dodocuments to their targets.
The PDFs were highly relevant - with well-crafted content that fabricated human rights seminar information (ASEM) and Ukraine’s foreign policy and NATO membership plans.
These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing its sandbox. A toolkit was used to create these exploits and it appears to be the same toolkit that was used in the recent attack reported by FireEye.
However, the exploits used in the MiniDuke attacks were for different purposes and had their own customized malware.
Once the system is exploited, a very small downloader is dropped onto the victim’s disc that’s only 20kb in size. This downloader is unique per system and contains a customized backdoor written in Assembler.
When loaded at system boot, the downloader uses a set of mathematical calculations to determine the computer’s unique fingerprint, and in turn uses this data to uniquely encrypt its communications later.
It is also programmed to avoid analysis by a hardcoded set of tools in certain environments like VMware. If it finds any of these indicators it will run idle in the environment instead of moving to another stage and exposing more of its functionality by decrypting itself further; this indicates the malware writers know exactly what antivirus and IT security professionals are doing in order to analyze and identify malware.