Security vendor outs malicious program targeting government institutions

The threat research team at Russian security vendor Kaspersky Lab has identified a highly customized malicious program that has been harassing government institutions worldwide.

Known as MiniDuke, Kaspersky said the backdoor was used to attack multiple government entities and institutions worldwide during the past week. After examining the attacks in detail in partnership with CrySys Lab, according to the Kaspersky analysis a number of high profile targets have already been compromised by the MiniDuke attacks, including government entities in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. A research institute, two think tanks and a healthcare provider in United States were also compromised.

“This is a very unusual cyberattack,” said Eugene Kaspersky, founder and CEO of Kaspersky Lab, in a statement. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld. These elite, “old school” malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.”

“MiniDuke’s highly customized backdoor was written in Assembler and is very small in size, being only 20kb,” added Kaspersky. “This type of compact – yet highly sophisticated – malware was often written in Assembler and was very common back in the days of the VX group “29A”, but is rarely seen nowadays. The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous.”

According to the analysis, the attackers used social engineering techniques, which involved sending malicious PDF documents to their targets customized to each organization. These files were rigged with exploits attacking Adobe Reader. Once the system is exploited, a very small downloader is dropped onto the victim’s disc.

More information on the threat and Kaspersky’s analysis is available from Securelist.

Author: Jeff Jedras

A veteran technology and business journalist, Jeff Jedras began his career in technology journalism in the late 1990s, covering the booming (and later busting) Ottawa technology sector for Silicon Valley North and the Ottawa Business Journal, as well as everything from municipal politics to real estate.He later covered the technology scene in Vancouver before joining IT World Canada in Toronto in 2005, covering enterprise IT for ComputerWorld Canada. He would go on to cover the channel as an assistant editor with CDN.His writing has appeared in the Vancouver Sun, the Ottawa Citizen and a wide range of industry trade publications.