Kaspersky, CrySys Warn of MiniDuke Malware

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Researchers at Kaspersky Lab and CrySys Lab have uncovered new malware called MiniDuke, which has apparently infected government computers worldwide.

"MiniDuke finds its way to infected computers through PDFs," writes CNET News' Don Reisinger. "The malicious hackers -- who Kaspersky believes might have been dormant for some time because of the technique's similarity to those from the late-1990s -- have developed very believable and seemingly real PDFs. Once the file is downloaded to a computer, the exploit, which was written in Assembler and is only 20KB in size, takes advantage of unpatched flaws in Reader versions 9, 10, and 11."

"The PDFs purport to be Ukraine’s foreign policy and NATO membership plans, as well as information for a phony human rights seminar," writes Threatpost's Michael Mimoso. "The victims are not geographically similar; Kaspersky Labs reports 59 victims, most throughout Europe, a few Middle Eastern countries, Brazil and the United States."

"In Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland, the malware has been spotted on the systems of government organizations," writes Softpedia's Eduard Kovacs. "In Hungary, it has been identified on the networks of a social foundation and in the United States, on the computers of think tanks, a research institute and a healthcare provider."

"MiniDuke is a three-stage attack that drops its first payload after tricking a victim into opening an authentic-looking PDF document ... Infected machines then use Twitter or Google to retrieve encrypted instructions showing them where to report for additional backdoors," writes Ars Technica's Dan Goodin. "Stages two and three are stashed inside a GIF image file downloaded from the command server. Neither Kaspersky nor CrySyS is saying publicly what the malware does once it takes hold of a victim until they have had a chance to privately warn infected organizations."

"The MiniDuke attackers are still active at this time and have created malware as recently as February 20, 2013," Help Net Security reports.