Researchers discover new global cyber-espionage campaign

A new cyber-espionage campaign dubbed MiniDuke used the recent Adobe Reader zero-day exploit

Security researchers have identified an ongoing cyber-espionage campaign that compromised 59 computers belonging to government organizations, research institutes, think tanks and private companies from 23 countries in the past 10 days.

The attack campaign was discovered and analyzed by researchers from security firm Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics.

Dubbed MiniDuke, the attack campaign used targeted email messages -- a technique known as spear phishing -- that carried malicious PDF files rigged with a recently patched exploit for Adobe Reader 9, 10 and 11.

The exploit was originally discovered in active attacks earlier this month by security researchers from FireEye and is capable of bypassing the sandbox protection in Adobe Reader 10 and 11. Adobe released security patches for the vulnerabilities targeted by the exploit on Feb. 20.

The new MiniDuke attacks use the same exploit identified by FireEye, but with some advanced modifications, said Costin Raiu, director of Kaspersky Lab's global research and analysis team, on Wednesday. This could suggest that the attackers had access to the toolkit that was used to create the original exploit.

The malicious PDF files are rogue copies of reports with content relevant to the targeted organizations and include a report on the informal Asia-Europe Meeting (ASEM) seminar on human rights, a report on Ukraine's NATO membership action plan, a report on Ukraine's regional foreign policy and a report on the 2013 Armenian Economic Association, and more.

If the exploit is successful, the rogue PDF files install a piece of malware that's encrypted with information gathered from the affected system. This encryption technique was also used in the Gauss cyber-espionage malware and prevents the malware from being analyzed on a different system, Raiu said. If run on a different computer, the malware will execute, but will not initiate its malicious functionality, he said.

Another interesting aspect of this threat is that it's only 20KB in size and was written in Assembler, a method that's rarely used today by malware creators. Its small size is also unusual when compared to the size of modern malware, Raiu said. This suggests that the programmers were "old-school," he said.

The piece of malware installed during this first stage of the attack connects to specific Twitter accounts that contain encrypted commands pointing to four websites that act as command-and-control servers. These websites, which are hosted in the U.S., Germany, France and Switzerland, host encrypted GIF files that contain a second backdoor program.

The second backdoor is an update to the first and connects back to the command-and-control servers to download yet another backdoor program that's uniquely designed for each victim. As of Wednesday, the command-and-control servers were hosting five different backdoor programs for five unique victims in Portugal, Ukraine, Germany and Belgium, Raiu said.These unique backdoor programs connect to different command-and-control servers in Panama or Turkey, and they allow the attackers to execute commands on the infected systems.

The people behind the MiniDuke cyber-espionage campaign have operated since at least April 2012, when one of the special Twitter accounts was first created, Raiu said. However, it's possible that their activity was more subtle until recently, when they decided to take advantage of the new Adobe Reader exploit to compromise as many organizations as possible before the vulnerabilities get patched, he said.

The malware used in the new attacks is unique and hasn't been seen before, so the group might have used different malware in the past, Raiu said. Judging by the wide range of targets and the global nature of the attacks, the attackers probably have a large agenda, he said.

MiniDuke victims include organizations from Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russia, Slovenia, Spain, Turkey, Ukraine, United Kingdom and the United States.

In the United States, a research institute, two pro-U.S. think tanks and a health care company have been affected by this attack, Raiu said without naming any of the victims.

The attack is not as sophisticated as Flame or Stuxnet, but is high-level nevertheless, Raiu said. There are no indications regarding where the attackers might operate from or what interests they might be serving.

That said, the backdoor coding style is reminiscent of a group of malware writers known as 29A, believed to be defunct since 2008. There's a "666" signature in the code and 29A is the hexadecimal representation of 666, Raiu said.

A "666" value was also found in the malware used in the earlier attacks analyzed by FireEye, but that threat was different from MiniDuke, Raiu said. The question of whether the two attacks are related remains open.

News of this cyber-espionage campaign comes on the heels of renewed discussions about the Chinese cyber-espionage threat, particularly in the U.S., that were prompted by a recent report from security firm Mandiant. The report contains details about the years-long activity of a group of cyberattackers dubbed the Comment Crew that Mandiant believes to be a secret cyberunit of the Chinese Army. The Chinese government has dismissed the allegations, but the report was widely covered in the media.

Raiu said that none of the MiniDuke victims identified so far was from China, but declined to speculate on the significance of this fact. Last week security researchers from other companies identified targeted attacks that distributed the same PDF exploit masquerading as copies of the Mandiant report.

Those attacks installed malware that was clearly of Chinese origin, Raiu said. However, the way in which the exploit was used in those attacks was very crude and the malware was unsophisticated when compared to MiniDuke, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityFireEyeBudapest University of Technology and Economicsmalwarekaspersky lab

More about Adobe SystemsFireEyeKasperskyKasperskyNATOSwitzerlandTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts