On Wednesday Kaspersky published its report (PDF) on this ongoing hack. According to a post on the SecureList blog, since February 12, the actors behind the malware have taken advantage of an exploit in Adobe’s hugely popular Reader, and used “extremely effective social engineering techniques which involved sending malicious PDF documents to their targets” to spread the infection.
“The PDFs were highly relevant and well-crafted content that fabricated human rights seminar information (ASEM) and Ukraine’s foreign policy and NATO membership plans,” according to the report.
When opened, these PDFs drop a small downloader onto the infected computer. The downloader ascertains the device’s fingerprint, encrypts its communication, and installs a device-specific backdoor.
Then, it searches the Web for “specific tweets from pre-made accounts.” That’s right. The malware makes the infected device search for specific Twitter posts containing links to command and control servers (C2), “which then provide potential commands and encrypted transfers of additional backdoors onto the system via GIF files.”
In other words, MiniDuke is a system that uses Twitter as an infection vector to take over your devices.
The inane and off-sounding tweets that accompany the infected strings include such bon mots as “The weather is good today. Sunny!” and “Albert, my cousin. He is working hard.”
But this malware is so complex that even if Twitter is down, or otherwise uncontactable, it will use Google search to find the encrypted strings that lead to the C2.
The backdoors are “obfuscated within GIF files and disguised as pictures that appear on a victim’s machine.” Once these backdoors are downloaded, “they can fetch a larger backdoor which carries out the cyberespionage activities, through functions such as copy file, move file, remove file, make directory, kill process and of course, download and execute new malware and lateral movement tools.”
Kaspersky and CrySys have identified 59 victims of MiniDuke in 23 countries: Belgium, Brazil, Bulgaria, the Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, the Russian Federation, Slovenia, Spain, Turkey, Ukraine, the United Kingdom and the United States.
The malware received its name due to its similarity to another called “Duqu” and due to the presence of quotations from Dante’s “The Divine Comedy” in its shellcode.
The CrySyS Lab analysis of MiniDuke has more technical details about the attack.
Image via CrySys Lab