This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

MiniDuke malware exploits Adobe, Internet Explorer and Java vulnerabilities

Share this article:

Spyware designed to infiltrate government networks can infect via Java and Internet Explorer vulnerabilities.

Research of the malware called MiniDuke by Kaspersky Lab and CrySys Labs initially found that it relied on social engineering to deliver infected PDFs targeting Adobe Reader 9-11.

According to a report by Threatpost, the attacks exploit CVE-2013-0640 that was patched by Adobe last month. Once on a compromised machine, the attackers are able to copy and move files to their servers, create new directories, kill processes and install additional malware.

However new infection mechanisms have been revealed that rely on vulnerabilities in Java and Internet Explorer to infect the victim. Kaspersky Lab's Igor Soumenkov said that while inspecting one of the command and control (C&C) servers of MiniDuke, it found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.

It said that the first page serves as a starting point for the attack. It consists of two frames: one for loading the decoy web page from a legitimate website and another for performing malicious activities. The second web page contains 88 lines, mostly JavaScript code, which identifies the victim's browser and then serves one of two exploits.

He said: “The exploits are located in separate web pages. Clients using Internet Explorer version 8 are served with ‘about.htm', for other versions of the browser and for any other browser capable of running Java applets, the JavaScript code loads ‘JavaApplet.html'.

“Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets. As previously recommended, updating Windows, Java and Adobe Reader to the latest versions should provide a basic level of defence against the known MiniDuke attacks.”

Last week, Bitdefender discovered that a version of MiniDuke had been operating since 20th June 2011, predating a previous-seen version of the spyware by a year.

Bitdefender said that this sample currently seeks encrypted C&C instructions via an active Twitter account, with a single instruction dated 21st February 2012. The 2011 version does not use Google to search for command and control instructions, but lays dormant if it can't connect to Twitter.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Shellshock: Millions of servers under attack

Shellshock: Millions of servers under attack

In the wake of Shellshock, end-users and security managers race to patch web servers and desktops, but may be forgetting vulnerable embedded devices.

Londoners agree to give child away in return for free WiFi

Londoners agree to give child away in return ...

Hundreds trapped and exposed by fake 'poisoned' WiFi hotspot.

Cybercrime-as-a-service the new criminal business model

Cybercrime-as-a-service the new criminal business model

A new report from Europol's European Cybercrime Centre (EC3) reveals that cybercrime is being increasingly commercialised, and by criminals who use legitimate services to hide their activities.