Miniduke malware attacks European governments

News 27 Feb, 2013

Cybercriminals attempt to steal intelligence from countries.

More than 20 countries have been targeted by hackers in a wave of attacks.

According to researchers at IT security firm Kaspersky, "MiniDuke" is the malware behind the attempt by hackers to steal confidential data from governments and other organisations.

A number of high profile targets have already been compromised by MiniDuke, including government entities in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think tanks, and healthcare provider in the United States were also compromised, as was a prominent research foundation in Hungary.

While western defence and media organisations have been under attack from groups suspected to originate from China, the latest wave has left researchers stumped as to where the hackers are based. The malware backdoor connects to two servers, one in Panama and one in Turkey, to receive instructions from the attackers. After that, the trail goes cold.

According to Kaspersky, the malware's backdoor was written in Assembler and is very small in size, being only 20kB. To compromise victims, the attackers used extremely effective social engineering techniques, which involved sending malicious PDF documents to their targets. These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing its sandbox. A toolkit was used to create these exploits and it appears to be the same toolkit that was used in the recent attack reported by FireEye. However, the exploits used in the MiniDuke attacks were for different purposes and had their own customized malware.

"This is a very unusual cyberattack," said Eugene Kaspersky, Founder and chief executive of Kaspersky Lab. "I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld."

He said that these elite, "old school" malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.

"The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous," said Kaspersky.