NEWS FROM THE LAB - Tuesday, April 1, 2014

Targeted Attacks and Ukraine Posted by Mikko @ 12:05 GMT

Lets start by stating that we know this blog post is dated April 1st. However, this is not an April Fools joke.

In 2013, a series of attacks against European governments was observed by Kaspersky Lab. The malware in question, known as MiniDuke, had many interesting features: it was tiny in size at 20KB. It used Twitter accounts for Command & Control and located backup control channels via Google searches. It installed additional backdoors onto the system via GIF files that embedded the malware.

As most APT attacks, MiniDuke was distributed via innocent looking document files that were emailed to targets. In particular, PDF files that exploited the CVE-2013-0640 vulnerability were used.

To investigate similar cases, we have created a tool for extracting the payloads and the decoy documents from MiniDuke PDF files. With this tool we were able to process a large batch of potential MiniDuke samples last week. While browsing the set of extracted decoy documents, we noticed several ones that had references to Ukraine. This is interesting considering the current crisis in the area.

Here are for examples of such documents:

Ukraine MiniDuke

Ukraine MiniDuke

Ukraine MiniDuke

The attackers have collected some of these decoy documents from public sources. However this decoy file that resembles a scanned document is unlikely to be found from any public source:

Ukraine MiniDuke

The document is signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine. The letter is addressed to the heads of foreign diplomatic institutions in Ukraine. When translated, it's a note regarding the 100th year anniversary of the 1st World War.

We don't know where the attacker got this decoy file from. We don't know who was targeted by these attacks. We don't know who's behind these attacks.

What we do know is that all these attacks used the CVE-2013-0640 vulnerability and dropped the same backdoor (compilation date 2013-02-21).

We detect the PDF as Exploit:W32/MiniDuke.C (SHA1: 77a62f51649388e8da9939d5c467f56102269eb1) and the backdoor as Gen:Variant.MiniDuke.1 (SHA1: b14a6f948a0dc263fad538668f6dadef9c296df2).


Research and analysis by Timo Hirvonen

Updated to add: These examples were found by mining old samples. The cases above are from 2013. So far, we haven't found Ukraine-related Miniduke samples that would have been used in 2014.