MiniDuke malware exploits Adobe, Internet Explorer and Java vulnerabilities
Spyware designed to infiltrate government networks can infect via Java and Internet Explorer vulnerabilities.
Research of the malware called MiniDuke by Kaspersky Lab and CrySys Labs initially found that it relied on social engineering to deliver infected PDFs targeting Adobe Reader 9-11.
According to a report by Threatpost, the attacks exploit CVE-2013-0640 that was patched by Adobe last month. Once on a compromised machine, the attackers are able to copy and move files to their servers, create new directories, kill processes and install additional malware.
However new infection mechanisms have been revealed that rely on vulnerabilities in Java and Internet Explorer to infect the victim. Kaspersky Lab's Igor Soumenkov said that while inspecting one of the command and control (C&C) servers of MiniDuke, it found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.
“Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets. As previously recommended, updating Windows, Java and Adobe Reader to the latest versions should provide a basic level of defence against the known MiniDuke attacks.”
Last week, Bitdefender discovered that a version of MiniDuke had been operating since 20th June 2011, predating a previous-seen version of the spyware by a year.
Bitdefender said that this sample currently seeks encrypted C&C instructions via an active Twitter account, with a single instruction dated 21st February 2012. The 2011 version does not use Google to search for command and control instructions, but lays dormant if it can't connect to Twitter.