Fascinating MiniDuke backdoor hits again
MiniDuke – the extremely small and highly customized Asembler-based backdoor used in the past to target mostly government entities and institutions around the world – has been spotted again, this time by ESET researchers.
The exploit used to deliver the malware is that of the recently patched Word RTF Memory Corruption Vulnerability (CVE-2014-1761), and comes in the form of a specially crafted RTF file named Proposal-Cover-Sheet-English.rtf, delivered via email.
“Although the backdoor is still quite similar to its previous versions, some important changes were made since last year, the most notable being the introduction of a secondary component written in JScript to contact a C&C server via Twitter,” the researchers noted.
“We received the document on April 8th, only three days after the compilation of the MiniDuke payload, dated April 5th in the PE header. The payload remains quite small at only 24 KB.”
This version of MiniDuke comes with a main module and the TwitterJS module. It first collects some information about the target system (volume serial number, CPU information, computer name) in order to encrypt its configuration based on it, and thus make it impossible to recover the configuration of an encrypted payload when one is analyzing it on another computer.
The backdoor creates hidden LNK files to ensure persistence on the machine. As before, the malware is capable of detecting hooks and debugger breakpoints typical of a slew of security software and monitoring tools. If it does, it will run but will not contact the C&C server.
“If the configuration data is decrypted correctly, MiniDuke retrieves the Twitter page of @FloydLSchwartz in search of URLs by which to reach C&C server,” they shared, and noted that that particular Twitter account currently does not sport any tags that will reveal the URL of the C&C server.
MiniDuke will collect information about the infected system (computer name and user domain name, country code of the infected host IP address, OS version, a list of AV products installed onto the system, and so on) and deliver it along with its own version to the C&C server.
The C&C reciprocates by sending a payload: a fake GIF8 file containing an encrypted executable. MiniDuke then verifies the integrity of the file, decrypts it, stores it and executes it.
The executable in question can do a set of actions, including copying and removing files, making new directories, killing processes, and downloading and executing additional malware.
The researchers have also managed to discover four computers that have been infected with this MiniDuke variant. They are located in Belgium, France and the UK, and their owners have already been notified of it by their own countries’ CERTs.
As before, it’s impossible to tell which actors are behind the attack.
For more details about the malware, check out the technical analysis shared by the researchers.