Kaspersky Lab: Miniduke is active again

Her researchers Kaspersky Lab have discovered that the old-style Miniduke implants from 2013 are still being used in active digital campaigns against governmental organizations and other organizations. In addition, Miniduke's new platform, called BotGenStudio, can now be used not only for cybercriminals that launch press attacks Advanced Persistent Threat (APT), but also by the prosecuting authorities, as well as by traditional criminals.

Kaspersky Lab Kaspersky Lab Security Kaspersky Lab Kaspersky Lab

Last year, in the wake of the announcement made by Kaspersky Lab and its partner, CrySyS Lab, those who launched the Miniduke APT attack stopped their campaign, or at least diminished its intensity. However, at the beginning of 2014, the attacks Miniduke they were again fully active. This time, Kaspersky Lab specialists have noticed changes in how attackers work and the tools they use.

After the revelation of 2013, the perpetrators behind the Miniduke began using another adapted backdoor cuts, which has the ability to intercept various types of information. Malicious software "mocks" popular applications designed to run on the "depth" of systems, including file information, icons, and even the size of the file.

Unique characteristics

The basic "new" backdoor cuts of Miniduke (known as TinyBaronή CosmicDuke) is created using an adaptable context named BotGenStudio, which has the flexibility to turn on or off functions when it muzzle ready. Malware is capable of intercepting a wide range of information. Also, the backdoor cuts has many more features, such as features: keylogger, collecting general network information, removing instant images from monitors, logging keystrokes, posting information from Microsoft and Windows Address Book, spyware Password for Skype or Whatsapp, posting information from Chrome, the Google Talk, the Opera, the TheBat!, the Firefox and Thunderbird, as well as encryption of confidential information from protected systems storage, but also the extraction of certificates / private keys, etc.

Malicious software performs various network connections to retrieve data, including "uploading" data through FTP and three different variants of the HTTP communication mechanisms. Storing the extracted data is another point of interest by MiniDuke. When a file is "uploaded" to the Command & Control server is divided into small pieces (about 3Kb), which are compressed, encrypted and placed in a Containers, before completing the "upload". If the file is large enough, it can be placed in many different ways containers which "climb" independently. All these additional processing levels guarantee that few researchers will be able to access the original data.

Each victim of MiniDuke is assigned a unique identity, which allows the promotion of specific updates individually to each victim. For self - protection reasons, the malware έναν προσαρμοσμένο ασαφή φορτωτή, που έχει μεγάλο αντίκτυπο στους π of the CPU, before moving on to executing the payload. In this way, the perpetrators were prevented anti-malware by analyzing the implant and detecting malicious operation through a simulator. This fact also complicates the analysis of the malware.

Servers C&C - dual purpose

In the analysis, her experts Kaspersky Lab managed to obtain a copy of one of them command and control servers (C&C) of CosmicDuke. It seems to have been used not only to communicate among those behind it CosmicDuke and the computers that were uploaded, but also for other activities of the team members, including him hacking to others servers on the Internet, with the aim of collecting any information or media that could lead to potential objectives. For this purpose, the C&C server was equipped with a range of available tools hacking to look for vulnerabilities in websites that use different machines to infect them.

The victims

Interesting is the fact that, while the old-style implants Miniduke were mainly used against government targets, new type implants CosmicDuke have a different typology of victims. In addition to governmental organizations, diplomatic bodies, the energy sector, telecommunications, military equipment suppliers and individuals involved in the sale and sale of illicit and controlled substances are also targeted.

Her experts Kaspersky Lab they analyzed so much servers CosmicDuke as well as servers Miniduke. Of the latter, her experts Kaspersky Lab were able to export a list of victims and the countries to which they corresponded, so experts discovered that the old-fashioned users Miniduke servers interested in targets in Australia, Belgium, France, Germany, Hungary, the Netherlands, Spain, Ukraine and the USA. Victims in at least three of these countries are in the category of "governmental targets".

One of the CosmicDuke servers that analyzed had a long list of victims (139 unique addresses IP), starting in April of 2012. In terms of geographical distribution, the ten countries where most of the victims were found are Georgia, Russia, USA, Great Britain, Kazakhstan, Belarus, Cyprus, Ukraine and Lithuania. Also, the attackers had little interest in expanding their activities and hiding addresses IP and server Azerbaijan, Greece and Ukraine.

Commercial platform

The most unusual victims discovered were people who seemed to be involved in the sale and sale of controlled and unlawful substances, such as steroids and hormones. These victims were only observed in Russia.

"It's a bit unexpected - normally, when we hear about attacks APT, we tend to believe that these are government digital espionage campaigns. But for this we see two explanations. One possibility is that the malware platform BotGenStudio used in Miniduke is also available as one of the so-called "legal tools" spyware", Such as, for example, the RCS of HackingTeam, which is widely used by prosecuting authorities. Another possibility is that the platform is simply available in the underworld and bought by several competitors in pharmaceuticals to spy on each other, "commented the Vitaly Kamluk, Principal Security Researcher in the team Global Research & of Kaspersky Lab

Localization

Its products Kaspersky Lab identify it backdoor CosmicDuke, under the code names Backdoor.Win32.CosmicDuke.gene and Backdoor.Win32.Generic.

For more information, read it blog of Kaspersky Lab on Securelist.com.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).