MINIDUKE

Your consent is required to display this content from youtube - Privacy Settings

MiniDuke is a highly customizable malware platform that was uncovered by Kaspersky Lab in February 2013. The malware may have been developed as early as 2010. According to Eugene Kaspersky, MiniDuke malware is unique in that it resembles more complex old school malware; in fact, many of its components are written in Assembly, a complex low-level programming language. This could indicate that the Russian authors behind MiniDuke have significant experience in the field and its Preferred attack vector is social engineering.

The initial MiniDuke campaign compromised government institutions in Ukraine, Belgium, Portugal, Romania, the Czech Republic, and Ireland. Additionally, a research institute, two think tanks, and a healthcare provider were compromised in the United States, as well as a research foundation in Hungary. Victims were targeted with spear phishing emails containing malicious PDF files. If opened, the malicious attachments exploited a zero-day vulnerability and dropped a small downloader (20kb) onto the victim system.

The malware drops in 3 stages that are designed to evade sandbox, virtual, and analysis environments. Checks are processed at each stage before the malware decrypted more of itself. The downloader appears to be unique to the victim system and contains a customized backdoor. The downloader determines the system fingerprint and it later uses the information to encrypt its communication with the C&C server. If the target system meets pre-defined requirements and if the malware successfully installs, then the malware will access Twitter as a background process and search for specific tweets from pre-made accounts. Similar C&C infrastructure via Twitter can be found in variants of OnionDuke, CozyDuke, and HammerDuke. The tweets, authored by the malware operators, contain tags that correspond to the encrypted URLs where the backdoors are stored. The URLs lead to the C&C servers that contain commands and backdoors as .GIF files. In the event that Twitter is inaccessible, then the malware will run Google search in the background to find the encrypted strings that lead to the next C&C server.

Click to Share This Post

Type: Nation State Sponsored

Status: Active

Active Since/Discovered: 2008/ February 2013

Targets: Ukraine, Belgium, Portugal, Romania, The Czech Republic, Ireland, USA, Hungary

Target Sectors:

  • Government entities
  • Energy, oil and gas companies
  • Military
  • Academia/Research
  • Telecoms

MiniDuke Malware:

  • MiniDuke Malware- toolset consists of multiple downloader and backdoor components
    • HTTP(s) communication
    • use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds

Preferred Attack Vector:  Social engineering

IoCs:

  • Targets Windows
  • Cyberespionage Focused
  • Malicious downloader is unique to each system
  • Customized backdoor written in Assembler
  • The malware looks for specific tweets, containing encrypted URLs for the backdoors, from pre-made accounts created by MiniDuke’s Command and Control (C2) operators
  • Infected systems receive encrypted backdoors within GIF files and disguised as pictures that appear on a victim’s machine

Unique:

  • Use of Twitter
© 2020 ArtOfTheHak.All Rights Reserved
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Save