Researchers have identified a new strain of malware that appears to combine old-school techniques with more modern options to target government entities and institutions around the world.
The malware, dubbed MiniDuke, was uncovered by Kaspersky Lab and CrySys Lab. It has been used in the past week to attack government entities in Ukraine, Belgium, Portugal, Romania, the Czech Republic, and Ireland. But a research institute, two think tanks, and a healthcare provider in the US were also hit, as was a prominent research foundation in Hungary, Kaspersky said in a blog post.
MiniDuke is still active and new malware was created as recently as 20 February, Kaspersky said. It attacks via infected PDFs, which are emailed to specific targets with highly relevant subject lines. Attachments sent to those in Ukraine included "fabricated human rights seminar information (ASEM) and Ukraine's foreign policy and NATO membership plans," Kaspersky said.
Once people opened the infected PDFs, MiniDuke attacked Adobe Reader versions 9, 10, and 11, bypassing its sandbox.
The toolkit used to create these exploits is similar to a zero-day bug that appeared earlier this month, but "the exploits used in the MiniDuke attacks were for different purposes and had their own customized malware," according to Kaspersky.
MiniDuke includes a small, 20KB downloader and is able to avoid detection, indicating that "the malware writers know exactly what antivirus and IT security professionals are doing in order to analyze and identify malware," Kaspersky speculated.
In many cases, MiniDuke then turned to Twitter, where the attackers had posted tweets that were also infected with malware to further compromise a system. If Twitter wasn't available, MiniDuke used Google Search. "This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed," Kasperskys said.
With everything in place, the MiniDuke Command and Control (C2) is hidden within GIF files and just looks like a photo on someone's computer. "Once they are downloaded to the machine they can download a larger backdoor that carries out several basic actions, such as copy file, move file, remove file, make directory, kill process, and, of course, download and execute new malware," Kaspersky found.
The servers hosting these malware backdoors appear to be in Panama and Turkey.
In a statement, Eugene Kaspersky, founder and CEO of Kaspersky Lab, said MiniDuke was unusual in that it combined elements of malicious programming not seen in years.
"I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld," he said. "These elite, 'old school' malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries."
This type of combination, Kaspersky said, "is extremely dangerous."