The threat research team at Russian security vendor Kaspersky Lab has identified a highly customized malicious program that has been harassing government institutions worldwide.
Known as MiniDuke, Kaspersky said the backdoor was used to attack multiple government entities and institutions worldwide during the past week. After examining the attacks in detail in partnership with CrySys Lab, according to the Kaspersky analysis a number of high profile targets have already been compromised by the MiniDuke attacks, including government entities in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. A research institute, two think tanks and a healthcare provider in United States were also compromised.
Related Story: Malware is top concern for IT professionals: report
“This is a very unusual cyberattack,” said Eugene Kaspersky, founder and CEO of Kaspersky Lab, in a statement. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld. These elite, “old school” malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.”
“MiniDuke’s highly customized backdoor was written in Assembler and is very small in size, being only 20kb,” added Kaspersky. “This type of compact – yet highly sophisticated – malware was often written in Assembler and was very common back in the days of the VX group “29A”, but is rarely seen nowadays. The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous.”
According to the analysis, the attackers used social engineering techniques, which involved sending malicious PDF documents to their targets customized to each organization. These files were rigged with exploits attacking Adobe Reader. Once the system is exploited, a very small downloader is dropped onto the victim’s disc.
More information on the threat and Kaspersky’s analysis is available from Securelist.