Kaspersky Lab and Hungarian cyber-hunters CrySys have discovered another apparent state-sponsored spy program the firms believe has successfully compromised systems inside at least 23 different governments, some as recently as a week ago.
Dubbed ‘MiniDuke’, it is about as odd a piece of malware as one can imagine, which these days usually spells trouble.
The researchers first noticed it as the unnamed malicious PDF malware exploiting a recent Reader zero-day flaw (CVE-2013-0640), reported by security firm FireEye on 12 February, which Adobe suggested version XI users counter pro tem by turning on ‘protected’ mode.
Now we can see why security firms were so worried about this particular zero-day, not least because the attacks appear to have worked spectacularly well.
In essence, MiniDuke is the back door with a difference. It's purpose is probably to allow the theft of sensitive documents, but it is the way it is built that really catches the attention.
To aid stealth and to stymie emulation security (which peers at code to work out what it’s trying to do), its creators made extensive use of x86 Assembler, a programming language last used in malware in the early days of computer viruses up to the mid-1990s when a tiny memory footprint mattered.
Kaspersky describes this as “old school”, but ‘old world’ might be closer to the mark. It is certainly unexpected and odd.
A second more bizarre element is a tiny but quite deliberate clue buried in the code itself that looks like a reference to the infamous, long-running and defunct ‘29A’ (hex for ‘666’) group of malware writers that disappeared from view about five years ago.
Are one or more of the mischievous 29A writers back in action? Surely not, but if they are MiniDuke suggests they are working for a state actor now or have a secret admirer.
Another interesting characteristic is the use of Twitter as a command and control channel, where MiniDuke accesses commands from numerous accounts identifying themselves with the string “uri!”. A second backup channel was also found on Google.
According to Kaspersky and CrySis, MiniDuke appears to have compromised at least 59 unique victims in 23 countries, overwhelmingly European governments.
The full list of governments attacked is long: Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland, Hungary to pick on only a few prominent ones. It also found victims in the US where it had been detected inside the networks of think tanks, a research institute and a healthcare provider, researchers said.
Targeting specific countries more than others (no word yet of which), a Kaspersky source told Techworld that the program had probably been operating for months rather than years.
“This is a very unusual cyberattack,” said Kaspersky Lab founder and CEO, Eugene Kaspersky with the understatement of a sage.
“I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld.”
Kaspersky’s researchers themselves said it reminded them of Duqu and the more recent Red October malware, although this is probably more to do with unconscious emulation than a direct connection.
This much we can say. Cyberweapons concocted by states to attack other states can be big and bad (Flame), highly targeted (Stuxnet) and slightly odd (Duqu); for now MiniDuke must be placed towards in a decidedly strange wing of its own. It has been no less effective for all that.