Unidentified attackers have infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden and Twitter and Google to ensure it always has a way to receive updates.
MiniDuke, as researchers from Kaspersky Lab and Hungary-based CrySyS Lab have dubbed the threat, bears the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-Zine by the same name. Because MiniDuke is written in assembly language, most of its computer files are tiny. Its use of multiple levels of encryption and clever coding tricks makes the malware hard to detect and reverse engineer. It also employs a method known as steganography, in which updates received from control servers are stashed inside image files.
In another testament to the skill of the attackers, MiniDuke has taken hold of government agencies, think tanks, a US-based healthcare provider, and other high-profile organizations using the first known exploit to pierce the security sandbox in Adobe Systems##Q## Reader application. Adding intrigue to this, the MiniDuke exploit code contained references to Dante Alighieri##Q##s Divine Comedy and also alluded to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.
“When we started looking at the backdoors themselves, we said, ##Q##Now this is very interesting##Q## because it##Q##s certainly professionally done and it takes us back to a golden age of the incredibly complex viruses and coding techniques that were used when 29A was around,” Kaspersky Lab expert Kurt Baumgartner told Ars. “29A was the elite of the elite when it came to virus writing. Everybody hoped that their stuff never got out, because they were writing metamorphic, viral engines. They advanced viral code that they maintained in their magazine.”
MiniDuke is a three-stage attack that drops its first payload after tricking a victim into opening an authentic-looking PDF document referring to highly relevant topics including human rights, Ukraine##Q##s foreign policy, and NATO membership plans. Infected machines then use Twitter or Google to retrieve encrypted instructions showing them where to report for additional backdoors. Stages two and three are stashed inside a GIF image file downloaded from the command server. Neither Kaspersky nor CrySyS is saying publicly what the malware does once it takes hold of a victim until they have had a chance to privately warn infected organizations.
“What we know is that some threat actor systematically attacked governmental organizations, and here we are not speaking about libraries, but highest-ranked organizations with malware in many NATO states,” Boldizsar Bencsath, a researcher with CrySyS, wrote in an e-mail to Ars. “As well, they attacked human rights organizations, which is also a clear attack on democracy. In this situation the appropriate response should be organized and agile.”
He said he##Q##s aware of at least 60 victims. Kaspersky has identified at least 23 affected countries, including the US, Hungary, Ukraine, Belgium, Portugal, Romania, the Czech Republic, Brazil, Germany, Israel, Japan, Russia, Spain, the UK, and Ireland.
Kaspersky##Q##s report on MiniDuke is here. The CrySyS analysis is here, and the lab has published a separate document that shows experienced researchers how to detect the malware on infected machines.
MiniDuke##Q##s minimalistic approach, multiple levels of encryption, selection of victims, and use of compromised servers as command channels reminds Kaspersky researchers of both the Duqu and the more recently discovered Red October espionage platforms. But the exploit code##Q##s literary and biblical references and allusions to hellish stories and situations are highly unusual for espionage malware of this caliber and success.
Although the Stuxnet virus contained what some researchers believe may be references to the Jewish Purim queen and the date an Iranian Jewish businessman was executed by firing squad in Tehran, the imagery in the MiniDuke exploit is altogether different. The Adobe exploit, which was first discovered by security firm FireEye, was also used in an attack Kaspersky researchers believe is unrelated to MiniDuke.
“There##Q##s images of hell and there##Q##s some numeric stuff littered in the zero-day that we would see back in the days of old-school virus writers that you don##Q##t see anymore,” Baumgartner said. Because the initial attack that installs MiniDuke may have been spawned from an exploit tool, it##Q##s not entirely clear who is responsible for the biblical and literary references.
Then there##Q##s the multilayered technical agility of the malware, including its ability to dynamically scan all functions from memory instead of importing them.
“The uses of encryption here along with taking these old assembler techniques and pushing them into a malware package that incorporates a highly resilient infrastructure implementing communications with high-availability services like Twitter and Google is just weird,” Baumgartner said. “We##Q##re calling a backdoor DLL with no imports weird, which it is. It takes an old-school virus writer to come up with something like that.”
An advanced and well-orchestrated computer spy operation that targeted diplomats, governments and research institutions for at least five years has been uncovered by security researchers in Russia.
The highly targeted campaign, which focuses primarily on victims in Eastern Europe and Central Asia based on existing data, is still live, harvesting documents and data from computers, smartphones and removable storage devices, such as USB sticks, according to Kaspersky Lab, the Moscow-based antivirus firm that uncovered the campaign. Kaspersky has dubbed the operation “Red October.”
While most of the victims documented are in Eastern Europe or Central Asia, targets have been hit in 69 countries in total, including the U.S., Australia, Ireland, Switzerland, Belgium, Brazil, Spain, South Africa, Japan and the United Arab Emirates. Kaspersky calls the victims “high profile,” but declined to identify them other than to note that they’re government agencies and embassies, institutions involved in nuclear and energy research and companies in the oil and gas and aerospace industries.
“The main purpose of the operation appears to be the gathering of classified information and geopolitical intelligence, although it seems that the information-gathering scope is quite wide,” Kaspersky notes in a report released Monday. “During the past five years, the attackers collected information from hundreds of high-profile victims, although it’s unknown how the information was used.”
The attackers, believed to be native Russian-speakers, have set up an extensive and complex infrastructure consisting of a chain of at least 60 command-and-control servers that Kaspersky says rivals the massive infrastructure used by the nation-state hackers behind the Flame malware that Kaspersky discovered last year.
The attack also shows no signs yet of being the product of a nation-state and may instead be the work of cybercriminals or freelance spies looking to sell valuable intelligence to governments and others on the black market, according to Kaspersky Lab senior security researcher Costin Raiu.
The malware the attackers use is highly modular and customized for each victim, who are assigned a unique ID that is hardcoded into the malware modules they receive.
“The victim ID is basically a 20-hex digit number,” Raiu says. “But we haven’t been able to figure out any method to extract any other information from the victim ID…. They are compiling the modules right before putting them into the booby-trapped documents, which are also customized to the specific target with a lure that can be interesting to the victim. What we are talking about is a very targeted and very customized operation, and each victim is pretty much unique in what they receive.”
The statistics on countries and industries are based on Kaspersky customers who have been infected with the malware and on victim machines that contacted a Kaspersky sinkhole set up for some of the command-and-control servers.
Raiu wouldn’t say how his company came across the operation, other than to note that someone asked the lab last October to look into a spear-phishing campaign and a malicious file that accompanied it. The investigation led them to uncover more than 1,000 malicious modules the attackers used in their five-year campaign.
Each module is designed to perform various tasks — extract passwords, steal browser history, log keystrokes, take screenshots, identify and fingerprint Cisco routers and other equipment on the network, steal email from local Outlook storage or remote POP/IMAP servers, and siphon documents from the computer and from local network FTP servers. One module designed to steal files from USB devices attached to an infected machine uses a customized procedure to find and recover deleted files from the USB stick.
A separate mobile module detects when a victim connects an iPhone, Nokia or Windows phone to the computer and steals the contact list, SMS messages, call and browsing history, calendar information and any documents stored on the phone.
Based on search parameters uncovered in some of the modules, the attackers are looking for a wide variety of documents, including .pdf files, Excel spreadsheets, .csv files and, in particular, any documents with various .acid extensions. These refer to documents run through Acid Cryptofiler, an encryption program developed by the French military, which is on a list of crypto software approved for use by the European Union and NATO.