This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

MiniDuke malware exploits Adobe, Internet Explorer and Java vulnerabilities

Share this article:

Spyware designed to infiltrate government networks can infect via Java and Internet Explorer vulnerabilities.

Research of the malware called MiniDuke by Kaspersky Lab and CrySys Labs initially found that it relied on social engineering to deliver infected PDFs targeting Adobe Reader 9-11.

According to a report by Threatpost, the attacks exploit CVE-2013-0640 that was patched by Adobe last month. Once on a compromised machine, the attackers are able to copy and move files to their servers, create new directories, kill processes and install additional malware.

However new infection mechanisms have been revealed that rely on vulnerabilities in Java and Internet Explorer to infect the victim. Kaspersky Lab's Igor Soumenkov said that while inspecting one of the command and control (C&C) servers of MiniDuke, it found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.

It said that the first page serves as a starting point for the attack. It consists of two frames: one for loading the decoy web page from a legitimate website and another for performing malicious activities. The second web page contains 88 lines, mostly JavaScript code, which identifies the victim's browser and then serves one of two exploits.

He said: “The exploits are located in separate web pages. Clients using Internet Explorer version 8 are served with ‘about.htm', for other versions of the browser and for any other browser capable of running Java applets, the JavaScript code loads ‘JavaApplet.html'.

“Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets. As previously recommended, updating Windows, Java and Adobe Reader to the latest versions should provide a basic level of defence against the known MiniDuke attacks.”

Last week, Bitdefender discovered that a version of MiniDuke had been operating since 20th June 2011, predating a previous-seen version of the spyware by a year.

Bitdefender said that this sample currently seeks encrypted C&C instructions via an active Twitter account, with a single instruction dated 21st February 2012. The 2011 version does not use Google to search for command and control instructions, but lays dormant if it can't connect to Twitter.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...