MiniDuke is a highly customizable malware platform that was uncovered by Kaspersky Lab in February 2013. The malware may have been developed as early as 2010. According to Eugene Kaspersky, MiniDuke malware is unique in that it resembles more complex old school malware; in fact, many of its components are written in Assembly, a complex low-level programming language. This could indicate that the Russian authors behind MiniDuke have significant experience in the field and its Preferred attack vector is social engineering.
The initial MiniDuke campaign compromised government institutions in Ukraine, Belgium, Portugal, Romania, the Czech Republic, and Ireland. Additionally, a research institute, two think tanks, and a healthcare provider were compromised in the United States, as well as a research foundation in Hungary. Victims were targeted with spear phishing emails containing malicious PDF files. If opened, the malicious attachments exploited a zero-day vulnerability and dropped a small downloader (20kb) onto the victim system.
The malware drops in 3 stages that are designed to evade sandbox, virtual, and analysis environments. Checks are processed at each stage before the malware decrypted more of itself. The downloader appears to be unique to the victim system and contains a customized backdoor. The downloader determines the system fingerprint and it later uses the information to encrypt its communication with the C&C server. If the target system meets pre-defined requirements and if the malware successfully installs, then the malware will access Twitter as a background process and search for specific tweets from pre-made accounts. Similar C&C infrastructure via Twitter can be found in variants of OnionDuke, CozyDuke, and HammerDuke. The tweets, authored by the malware operators, contain tags that correspond to the encrypted URLs where the backdoors are stored. The URLs lead to the C&C servers that contain commands and backdoors as .GIF files. In the event that Twitter is inaccessible, then the malware will run Google search in the background to find the encrypted strings that lead to the next C&C server.