New espionage malware has been discovered that targets a patched sandbox-bypass vulnerability in Adobe Reader. The attacks have hit a relatively small number of government victims in 23 countries, primarily in Europe, and rely on a string of unusual tactics, including the use of steganography to hide backdoor code, as well as the capability to reach out to Twitter accounts created by the attackers for links to command and control servers.
Dubbed MiniDuke by researchers at Kaspersky Labs and CrySyS Lab, these attacks were active as of one week ago. They rely on effective social engineering to deliver infected PDFs targeting Adobe Reader 9-11. The PDFs purport to be Ukraine’s foreign policy and NATO membership plans, as well as information for a phony human rights seminar. The victims are not geographically similar; Kaspersky Labs reports 59 victims, most throughout Europe, a few Middle Eastern countries, Brazil and the United States.
“This is a unique and very strange attack. The many different targets hit in separate countries, together with the high profile appearance of the decoy documents and the weird backdoor functionality indicate an unusual threat actor,” a Kaspersky and CrySyS report said. “Some of the elements remind us of both Duqu and Red October, such as the minimalistic approach, hacked servers, encrypted channels but also the typology of the victims.”
The attacks exploit CVE-2013-0640 that was patched by Adobe on Feb. 20. Once on a compromised machine, the attackers are able to copy and move files to their servers, create new directories, kill processes and install additional malware.
These attacks, along with another exploit discovered by FireEye, are the first to successfully bypass the sandbox protection in Adobe Reader since version X, known as Protected Mode. The first attacks used PDFs pretending to be a travel visa application called Visaform Turkey.pdf; the javascript exploit code has since been modified.
Once a machine has been compromised, a tiny 20 KB downloader is dropped that is unique per system and contain custom backdoor code written in old school Assembler language, unusual for modern malware, researchers said. The downloader is able to gather system information unique to the compromised machine and uses that data to encrypt later communications, the Kaspersky report said.
The malware then reaches out to Twitter looking for Tweets seeded by the attackers, automatically pointing to the command and control servers where additional commands and encrypted backdoors hidden in GIF files await. The attackers also had a backup plan in case their Twitter accounts were taken down where the malware does a Google search to find the encrypted URI strings.
“This model is flexible and enables the operators to constantly change how their backdoors retrieve further commands or malcode as needed,” the report said.
The encrypted backdoors hidden in the GIFs ultimately download more backdoor code that executes the cyberespionage activities and also connect to servers in Panama and Turkey that are part of the command and control infrastructure.
“Perhaps the most unusual thing about these three new attacks is the malware they drop. In all the analyzed cases, the dropped malware is in the form of a 22,528 bytes DLL file. Parts of the malicious DLL file are encrypted with information related to the system configuration, which ensures it will only work properly on the victim’s system. If copied to another computer, the malware will be unable to function successfully,” the Kaspersky report said.
The backdoors, meanwhile, call out to seven addresses and each have their own capabilities, including the ability to check for mouse clicks to determine when users are active. Other functionality includes searches for executables and dll files, system information, the ability to determine what detection capability is on the machine and whether it should attempt to communicate externally to the Twitter accounts, for example.
Espionage campaigns such as this one, Red October, Duqu and Flame have been permeating the headlines for some time. Researchers noted some similarities between previous attacks and MiniDuke, an indication the attackers could be borrowing and adapting their respective tactics.