MiniDuke Virus Spreads via Fake PDF Documents Related to Ukraine – F-Secure
According to security firm F-Secure, MiniDuke, a well known virus, is now spreading in the wild through an innocent looking fake PDF (Portable Document Format) documents related to Ukraine.
Antivirus firm Kaspersky identified this MiniDuke virus last year and it was devised especially to steal strategic insights and highly classified political details related to security of state.
F-Secure researchers found the latest strain of MiniDuke while browsing the set of extracted enticing documents from a big group of a prospective sample of MiniDuke.
The Hacker News published news on 1st April, 2014 quoting Mikko Hypponen, CTO of F-Secure as saying that this is exciting considering the present crisis in the area."
Interestingly, MiniDuke uses an exploit (CVE-2013-0640) of the famous and vigorously used Adobe Reader. MiniDuke is penned in assembly language with its small file size (20KB) using compromised Twitter accounts for command & control and if Twitter accounts are not active, then the malware located backup control channels through Google searches.
Three-stage assault by MiniDuke drops its initial payload after duping a victim to open an legitimate-looking PDF document related to topics of human rights, Ukraine's foreign policy and plans for NATO membership. Tainted machines then employ Google or Twitter to retrieve encrypted directions showing them where to report for bonus backdoors. Stage two and then stage three are stored within a GIF image file that is downloaded from the command server.
Hypponen incorporated screenshots of several documents related to Ukraine which were apparently doctored from accessible public documents.
He observes that F-Secure additionally identified an odd document dated 15th February, 2013 - "unlikely to be initiated from any public source" - allegedly signed by Ruslan Demchenko, First Deputy Minister for Foreign Affairs of Ukraine which was addressed to overseas missions in Ukraine.
This indicates that the invader had or still has access to the Ministry of Foreign Affairs of Ukraine.
However, F-Secure does not want to jump to any conclusions immediately.
Softpedia.com published a report on 2nd April, 2014 quoting Hypponen as saying "We don't know wherefrom the assailant got this decoy file and whom they besieged. Even we don't know who masterminded these attacks."
» SPAMfighter News - 10-04-2014