Researchers uncover new global cyber-espionage campaign
A new cyber-espionage campaign dubbed MiniDuke used the recent Adobe Reader zero-day exploit
IDG News Service - Security researchers have identified an ongoing cyber-espionage campaign that compromised 59 computers belonging to government organizations, research institutes, think tanks and private companies from 23 countries in the past 10 days.
The attack campaign was discovered and analyzed by researchers from security firm Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics.
Dubbed MiniDuke, the attack campaign used targeted email messages -- a technique known as spear phishing -- that carried malicious PDF files rigged with a recently patched exploit for Adobe Reader 9, 10 and 11.
The exploit was originally discovered in active attacks earlier this month by security researchers from FireEye and is capable of bypassing the sandbox protection in Adobe Reader 10 and 11. Adobe released security patches for the vulnerabilities targeted by the exploit on Feb. 20.
The new MiniDuke attacks use the same exploit identified by FireEye, but with some advanced modifications, said Costin Raiu, director of Kaspersky Lab's global research and analysis team, on Wednesday. This could suggest that the attackers had access to the toolkit that was used to create the original exploit.
The malicious PDF files are rogue copies of reports with content relevant to the targeted organizations and include a report on the informal Asia-Europe Meeting (ASEM) seminar on human rights, a report on Ukraine's NATO membership action plan, a report on Ukraine's regional foreign policy and a report on the 2013 Armenian Economic Association, and more.
If the exploit is successful, the rogue PDF files install a piece of malware that's encrypted with information gathered from the affected system. This encryption technique was also used in the Gauss cyber-espionage malware and prevents the malware from being analyzed on a different system, Raiu said. If run on a different computer, the malware will execute, but will not initiate its malicious functionality, he said.
Another interesting aspect of this threat is that it's only 20KB in size and was written in Assembler, a method that's rarely used today by malware creators. Its small size is also unusual when compared to the size of modern malware, Raiu said. This suggests that the programmers were "old-school," he said.
The piece of malware installed during this first stage of the attack connects to specific Twitter accounts that contain encrypted commands pointing to four websites that act as command-and-control servers. These websites, which are hosted in the U.S., Germany, France and Switzerland, host encrypted GIF files that contain a second backdoor program.
The second backdoor is an update to the first and connects back to the command-and-control servers to download yet another backdoor program that's uniquely designed for each victim. As of Wednesday, the command-and-control servers were hosting five different backdoor programs for five unique victims in Portugal, Ukraine, Germany and Belgium, Raiu said.These unique backdoor programs connect to different command-and-control servers in Panama or Turkey, and they allow the attackers to execute commands on the infected systems.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts