Trojan Hits Governments

Thursday, February 28, 2013 @ 05:02 PM gHale

The MiniDuke Trojan carried out targeted attacks on international government institutions and companies, researchers said.

The malware infected computers through a hole in the sandbox feature of Adobe Reader discovered in December. The attackers used a clever approach: The PDFs pretended to contain information on human rights issues and on NATO’s membership plans for the Ukraine and had plausible file names.

Hiding Code into JavaScript
Trojan a Work of ‘Poetry’
Ransomware Encrypts Data
Ransomware Uses Java Zero Day

The code included in the PDF file retrieves further malware from the net. Apparently, this malware is a small program of only 22KB written in assembly language. The malicious content used a polymorphic compiler that could produce a new variant of the malware every few minutes. As all Trojan samples are different, a signature detection component will have no chance of identifying the malware. However, PDFs that contain the malware can be identified because they include a “@34fZ7E*p \” character string.

However, the researchers at CrySyS Lab, who discovered the Trojan, and anti-virus company Kaspersky Lab have found identifying similarities in the way the malware operates. Immediately after a successful attack, infected computers will establish a connection to Google and Twitter. Both connect with the command & control servers. On Twitter, the malware uses tweets to retrieve encrypted instructions that cause it to download additional code. Google’s search appears to be a backup in case one of the Twitter accounts ends up blocked.

The backdoor loads an encrypted executable that disguises itself with a GIF header – to a file viewer such as IrfanView, it will look like a harmless icon. The Trojan also uses the Geo IP Tool to determine the location of the computer. Based on this, selected clients receive a different variant of the Trojan.

Every victim’s PC is given a unique ID that allows the command & control servers to recognize it. Kaspersky said the servers are in Panama and Turkey. The observed malware samples retrieved malicious code from compromised servers in Germany, France, Switzerland and the U.S. – including those of an Arabian online book store, a New Age school, a consulting firm, and a machine manufacturing association. The only perceivable similarity among the domains is that the operators don’t appear to have updated their web presence for quite some time.

Kaspersky’s report indicated the attacks started in June 2012 at the latest. The command & control servers continue to be active. From the log files, the security researchers conclude that the highly specialized attack targeted 59 victims in 23 countries – including targets in Germany, Israel, Russia, the UK and the U.S. Government organizations ended up targeted in Belgium, Ireland, Portugal, Romania, the Czech Republic and the Ukraine.

Leave a Reply

You must be logged in to post a comment.