MiniDuke malware exploits Adobe, Internet Explorer and Java vulnerabilities

News by SC Staff

Spyware designed to infiltrate government networks can infect via Java and Internet Explorer vulnerabilities.

Spyware designed to infiltrate government networks can infect via Java and Internet Explorer vulnerabilities.

Research of the malware called MiniDuke by Kaspersky Lab and CrySys Labs initially found that it relied on social engineering to deliver infected PDFs targeting Adobe Reader 9-11.

According to a report by Threatpost, the attacks exploit CVE-2013-0640 that was patched by Adobe last month. Once on a compromised machine, the attackers are able to copy and move files to their servers, create new directories, kill processes and install additional malware.

However new infection mechanisms have been revealed that rely on vulnerabilities in Java and Internet Explorer to infect the victim. Kaspersky Lab's Igor Soumenkov said that while inspecting one of the command and control (C&C) servers of MiniDuke, it found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.

It said that the first page serves as a starting point for the attack. It consists of two frames: one for loading the decoy web page from a legitimate website and another for performing malicious activities. The second web page contains 88 lines, mostly JavaScript code, which identifies the victim's browser and then serves one of two exploits.

He said: “The exploits are located in separate web pages. Clients using Internet Explorer version 8 are served with ‘about.htm', for other versions of the browser and for any other browser capable of running Java applets, the JavaScript code loads ‘JavaApplet.html'.

“Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets. As previously recommended, updating Windows, Java and Adobe Reader to the latest versions should provide a basic level of defence against the known MiniDuke attacks.”

Last week, Bitdefender discovered that a version of MiniDuke had been operating since 20th June 2011, predating a previous-seen version of the spyware by a year.

Bitdefender said that this sample currently seeks encrypted C&C instructions via an active Twitter account, with a single instruction dated 21st February 2012. The 2011 version does not use Google to search for command and control instructions, but lays dormant if it can't connect to Twitter.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews