The Miniduke advanced persistent threat (APT) campaign uncovered by researchers at Kaspersky Lab and CrySys Lab in February 2013 is back after a year-long hiatus in which attacks abated almost entirely. While the initial Miniduke operations primarily targeted government organizations in Europe, this second wave of attacks has expanded its scope to an assortment of other groups, the strangest of which are online peddlers of illegal substances.
In addition to spying on people who sell hormones and steroids online, the resurgent attack campaign also seeks information from organizations involved with government, diplomacy, energy, telecommunications, and military contracting. The revamped Miniduke has more tools to steal data and better protections designed to keep researchers away from that data, in addition to a slew of other new features.
The campaign is generally known to target countries all over the world, including Austria, Belgium, France Germany, Hungary, Netherlands, Spain, Ukraine, and the United States. However, an analysis of one individual server illustrated specific infections in Georgia, Russia, the United Kingdom, Kazakhstan, India, Belarus, Ukraine, Cyprus, and Lithuania. The command and control servers are actively and increasingly running scans of vulnerable systems in Azerbaijan, Ukraine, and Greece, suggesting that the people behind the campaign are interested in expansion.
Miniduke was unique among other APT actors at the time of its initial discovery because of a custom backdoor written in the relatively outdated assembler language, a novel command and control infrastructure with multiple redundancy paths including Twitter accounts, and a form of steganography in which the developers stealthily transferred their updated executables in .gif files.
These standout elements of the original Miniduke campaign remain in use, though a number of new elements have been implemented into the malware as well. Miniduke still relies on Twitter accounts with hard coded URLs pointing toward the command and control server. The URLs themselves are slightly different, but the algorithm encoding them within Tweets is the same.
After examining the update sent by Miniduke’s active C&C server, the researchers uncovered a number of new features. Interestingly, each infected machine is assigned a unique identification, which lets the C&C server push specific updates to individual victims.
Following their initial exposure last year, Miniduke’s developers made a number of changes that appear designed to throw off researchers, including a feature that drains computation resources to limit the efficacy of antivirus engines, a custom obfuscator, and heavy use of encryption and compression based on the RC4 and LZRW algorithms. The developers also built a new, custom backdoor using a tool called BotGenStudio.
The new backdoor – which has been called either CosmicDuke or TinyBaron – gives the malware the capacity to steal various types of data. The malware spoofs updaters for popular applications such as Java, Chrome, and Adobe, which run quietly in the background on infected machines.
The wares used in the latest iterations of the attack have three areas of focus: persistence, reconnaissance, and data exfiltration.
CosmicDuke either starts via the Windows task scheduler using a customized service binary that spawns a new process set in the special registry key, or it can also be launched launched when the user is away and the screensaver is activated, thus ensuring a persistent presence on infected machines.
On the point of reconnaissance, Cosmicduke is coded to recognize and steal a variety of popular file extension types. It also has built-in keylogging, password stealing, history and general network information harvesting, address book copying, and a variety of other capabilities designed to collect sensitive information from infected machines.
“The malware implements several methods to exfiltrate information, including uploading data via FTP and three variants of HTTP-based communication mechanisms,” Kaspersky Lab’s Global Research and Analysis Team writes.” A number of different HTTP connectors act as helpers, trying various methods in case one of them is restricted by local security policies or security software.”
These three methods are: Direct TCP connection and HTTP session via Winsock library, HTTP session via Urlmon.dll, and HTTP session via invisible instance of Internet Explorer as OLE object.
Once the data is pulled from the victim machines, it is broken down into much smaller (3kb) pieces of the original information.
“If the source file is large enough it may be placed into several hundred different containers that are uploaded independently,” the researcher write.” These data chunks are probably parsed, decrypted, unpacked, extracted and reassembled on the attacker’ side. This method is used to upload screenshots made on the victim’s machine. Creating such a complicated storage might be an overhead; however, all those layers of additional processing guarantees that very few researchers will get to the original data while offering an increased reliability against network errors.”
You can find a deeper analysis of the new Miniduke attack campaign along with MD5 hashes and a list of hacking tools used by the APT group in a research paper published on Securelist.