New Threat Actors Combine Sophisticated “OldSchool” Malware Writing Skills with Newly Advanced Exploits in Adobe Reader toCollect Geopolitical Intelligence from High Profile Targets.
Today Kaspersky Lab’s team of experts published a new researchreport that analyzed a series of security incidents involving the use of therecently discovered PDF exploit in Adobe Reader (CVE-2013-6040) and a new,highly customized malicious program known as MiniDuke. The MiniDuke backdoorwas used to attack multiple government entities and institutions worldwideduring the past week. Kaspersky Lab’s experts, in partnership with CrySys Lab,analyzed the attacks in detail and published their findings. According to Kaspersky Lab’s analysis, a number of high profiletargets have already been compromised by the MiniDuke attacks, includinggovernment entities in Ukraine, Belgium, Portugal, Romania, the Czech Republicand Ireland. In addition, a research institute, two think tanks, and healthcareprovider in the United States were also compromised, as was a prominentresearch foundation in Hungary. “This is a very unusual cyberattack,” said Eugene Kaspersky,Founder and CEO of Kaspersky Lab. “I remember this style of maliciousprogramming from the end of the 1990s and the beginning of the 2000s. I wonderif these types of malware writers, who have been in hibernation for more than adecade, have suddenly awoken and joined the sophisticated group of threatactors active in the cyberworld. These elite, “old school” malware writers wereextremely effective in the past at creating highly complex viruses, and are nowcombining these skills with the newly advanced sandbox-evading exploits totarget government entities or research institutions in several countries.” “MiniDuke’s highly customized backdoor was written in Assemblerand is very small in size, being only 20kb,” added Kaspersky. “The combinationof experienced old school malware writers using newly discovered exploits andclever social engineering to compromise high profile targets is extremelydangerous.” Kaspersky Lab’sPrimary Research Findings:· TheMiniDuke attackers are still active at this time and have created malware asrecently as February 20, 2013. To compromise victims, the attackers usedextremely effective social engineering techniques, which involved sendingmalicious PDF documents to their targets. The PDFs were highly relevant - withwell-crafted content that fabricated human rights seminar information (ASEM)and Ukraine’s foreign policy and NATO membership plans. These malicious PDFfiles were rigged with exploits attacking Adobe Reader versions 9, 10, and 11,bypassing its sandbox. A toolkit was used to create these exploits and itappears to be the same toolkit that was used in the recent attack reported byFireEye. However, the exploits used in the MiniDuke attacks were for differentpurposes and had their own customized malware. · Oncethe system is exploited, a very small downloader is dropped onto the victim’sdisc that’s only 20kb in size. This downloader is unique per system andcontains a customized backdoor written in Assembler. When loaded at systemboot, the downloader uses a set of mathematical calculations to determine thecomputer’s unique fingerprint, and in turn uses this data to uniquely encryptits communications later. It is also programmed to avoid analysis by ahardcoded set of tools in certain environments like VMware. If it finds any ofthese indicators it will run idle in the environment instead of moving toanother stage and exposing more of its functionality by decrypting itselffurther; this indicates the malware writers know exactly what antivirus and ITsecurity professionals are doing in order to analyze and identify malware. · Ifthe target’s system meets the pre-defined requirements, the malware will useTwitter (unbeknownst to the user) and start looking for specific tweets frompre-made accounts. These accounts were created by MiniDuke’s Command andControl (C2) operators, and the tweets maintain specific tags labelingencrypted URLs for the backdoors. These URLs provide access to the C2s, whichthen provide potential commands and encrypted transfers of additional backdoorsonto the system via GIF files. · Basedon the analysis, it appears that MiniDuke’s creators provide a dynamic backupsystem that also can fly under the radar. If Twitter isn’t working or theaccounts are down the malware can use Google Search to find the encryptedstrings to the next C2. This model is flexible and enables the operators toconstantly change how their backdoors retrieve further commands or malcode asneeded. · Oncethe infected system locates the C2, it receives encrypted backdoors that areobfuscated within GIF files and disguised as pictures that appear on a victim’smachine. Once they are downloaded to the machine they can download a largerbackdoor that carries out several basic actions, such as copy file, move file,remove file, make directory, kill process, and, of course, download and executenew malware. · Themalware backdoor connects to two servers, one in Panama and one in Turkey, toreceive instructions from the attackers. To read the full research report by Kaspersky Lab and therecommendations for protecting against MiniDuke attacks, please visit Securelist. To read CrySys Lab’s report, please visit the following page.
| 
Post time 1-3-2013 09:45 AM
变色卡
