Dissecting MiniDuke Components

Tuesday, March 12, 2013 @ 03:03 PM gHale

Files buried inside a MiniDuke command and control server indicate the presence of a Web-based facet of the campaign that initially targeted government agencies, primarily in Europe, researchers said.

Users likely end up lured to the malicious webpages via spear phishing messages containing a link to the attack site, said researchers at Kaspersky Lab and CrySys Lab.

MiniDuke Spyware Dates Back to 2011
‘MiniDuke’ Attack from Nation State
Trojan Hits Governments
Hiding Code into JavaScript

The site, which remains active, is serving exploits for patched vulnerabilities in Java and Internet Explorer, Kaspersky Lab researcher Igor Soumenkov wrote on the Securelist blog.

Soumenkov said the attack site hosts a pair of frames, one that loads a webpage from a legitimate organization involved in the rebuilding and modernization of Iraq. In addition to the decoy page, a malicious page acts as a “primitive exploit pack,” Soumenkov said, determining the browser used to visit the attack site and then serves the appropriate exploit. Data collected also goes to the attacker’s server.

“The exploits are located in separate webpages,” Soumenkov said. “Clients using Internet Explorer Version 8 are served with about.htm, for other versions of the browser and for any other browser capable of running Java applets, the javascript code loads JavaApplet.html.”

The Java file loads a Java class file that exploits CVE-2013-0422, a vulnerability affecting Java 7u10 and older that bypasses the built-in sandbox in Java to allow remote code execution. Soumenkov said the exploit has slightly different code than others exploiting this vulnerability, including the Metasploit module, likely to avoid detection by security software. Oracle patched this vulnerability on Jan. 13; the applet uploaded on Feb. 11, Soumenkov said.

Once the Java shellcode executes, it launches an encrypted DLL and writes it to a temporary Java directory with the name ntuser.bin. It then copies the rundll.32.exe system file to the same directory along with another executable that loads the main module of MiniDuke.

MiniDuke then reaches out to a pre-seeded Twitter post hosting a URL connecting it to the command and control server to download further instructions.

The IE 8 exploit behaves similarly, but exploits CVE-2012-4792, which ended up patched in December by Microsoft. A Metasploit module released Dec. 29 and the Microsoft Security Update MS13-008 on Jan. 14. Like its Java counterpart, this exploit page uploaded Feb. 11.

The shellcode used in the IE attack downloads a GIF image from the command and control server then decrypts the portable executable file hidden in the image.

“The PE file also appeared to be a modification of the MiniDuke’s main backdoor module that uses the same Twitter URL as the Java payload,” Sumenkov said.

MiniDuke surfaced on Feb. 27 and experts originally thought it was just a phishing campaign where targets got malicious PDF files pretending to be Ukraine’s foreign policy and NATO membership plans, as well as information for a phony human rights seminar. The PDF attacks targeted CVE-2013-0640, an Adobe Reader vulnerability patched a week earlier. Attackers were able to copy and move files, create new directories, kill processes and install additional malware. MiniDuke was the second successful Reader sandbox bypass.

MiniDuke stood out for researchers for its use of steganography to hide custom backdoor code, as well as using Twitter to reach URLs pointing to command and control servers. Another unique feature of MiniDuke was its use of a small downloader written in an old-school Assembler language used to gather system information unique to the compromised machine.

“This is a unique and very strange attack. The many different targets hit in separate countries, together with the high profile appearance of the decoy documents and the weird backdoor functionality indicate an unusual threat actor,” said the original Kaspersky and CrySyS report. “Some of the elements remind us of both Duqu and Red October, such as the minimalistic approach, hacked servers, encrypted channels but also the typology of the victims.”

Leave a Reply

You must be logged in to post a comment.