Close this search box.

Throwback Attack: MiniDuke malware attacks 23 countries

A hacker in the background.
Courtesy: CFE Media and Technology

While governments and organizations are attacked daily, some attacks leave little, if any, damage. It really depends on the sophistication level of the threat actor, which varies with each hack. However, there can be a lot learned from the level of sophistication an attack brings with it. For instance, in 2013, hackers attacked European governments using a malware called ‘MiniDuke.’

MiniDuke malware was used to target 23 countries worldwide, exploiting a flaw in Adobe software. The North Atlantic Treaty Organization (NATO) was one of the organizations attacked with MiniDuke, but it was not compromised in the end.

“This is a unique, fresh and very different type of attack,” said Kurt Baumgartner, a senior security researcher with Kaspersky Lab, according to an article from CNBC. “The technical indicators show this is a new type of threat actor that hasn’t been reported on before.”

MiniDuke malware explained

Security firm FireEye had found security bugs in Adobe’s Reader and Acrobat software two weeks before the MiniDuke campaign had started. Then, FireEye reported that hackers were infecting systems by circulating PDFs tainted with malicious software, a common strategy. The attackers in this situation combined old malware writing tactics with the recently discovered vulnerabilities in Adobe Reader to collect geopolitical intelligence from their targets.

The PDFs were comprised of fake Asia-Europe Meeting (ASEM) human rights seminar information, Ukraine’s foreign policy and NATO membership plans. However, what they really contained were exploits attacking certain versions of Adobe Reader, bypassing its sandbox, which is a security mechanism that separates running programs to mitigate software vulnerabilities from spreading.

Once a system was accessed, a downloader was dropped onto the victim’s desktop that had a customized backdoor. A cybersecurity expert, Boldizsar Bencsath, thought that the backdoors were installed in organizations that the hackers were interested in, so they could continue to take information they came across in the future.

According to a Reuters article, the MiniDuke attackers’ approach to communicate with infected machines was unique. “The virus was programmed to search for Tweets from specific Twitter accounts that contained instructions for controlling those personal computers. In cases where they could not access those Tweets, the virus ran Google searches to receive its marching orders.”

The premade tweets had specific tags labeling encrypted URLs for the backdoors and held access to the C2s, which then provided potential commands and encrypted transfers of additional backdoors onto the system through GIF files disguised as pictures. Once the pictures were downloaded onto the system, the attacker could carry out basic actions and execute new malware.

Details of the attack

MiniDuke struck at more than 20 countries, hitting 59 unique victims. According to Kaspersky Lab’s analysis, “a number of high-profile targets have already been compromised by the MiniDuke attacks, including government entities in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think tanks and a health care provider in the United States were also compromised, as was a prominent research foundation in Hungary.”

Russia’s Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security (CrySyS) said that MiniDuke was designed for espionage, but researchers are still trying to figure out the attacks’ ultimate goal. Due to the the attacks’ sophistication and high-profile targets, experts suspected that a nation-state was behind them. CrySys identified servers in Panama, France, Switzerland, Germany and the U.S. as the source of the code; however, further examination of the code didn’t reveal any more information about its origin.

MiniDuke evolution

The combination of techniques used in the MiniDuke attacks stuck out to cybersecurity experts. For example, Eugene Kaspersky, founder and CEO of Kaspersky Lab said, “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld.”

Old-school threat actors were able to create complex viruses. The people behind MiniDuke were able to use the same complexity as the old threat actors and add clever social engineering at high-profile organizations, making them very dangerous. MiniDuke may have stopped its campaign or decreased its intensity to stay off the radar for a while, but the threat didn’t stay quiet for long.

Since 2013, there have been many variations of MiniDuke that have sprung up, such as CozyDuke and CosmicDuke, just to name a few. In 2014, CozyDuke targeted the White House and the U.S. Department of State, and CosmicDuke, which also targeted important organizations, was deemed the “new” MiniDuke.

Where one malware or threat actors falls off, more will come out to take its place. Though malware threats and ransomware are still on the rise, it is important to stay vigilant and mitigate any vulnerabilities as they come.




Keep your finger on the pulse of top industry news