Researchers at Kaspersky Lab and CrySys Lab have discovered files buried inside a MiniDuke command and control server that indicate the presence of a Web-based facet of the campaign that initially targeted government agencies, primarily in Europe.

Users are likely lured to the malicious webpages via spear phishing messages containing a link to the attack site. The site, which remains active, is serving exploits for patched vulnerabilities in Java and Internet Explorer, researcher Igor Soumenkov wrote on the Securelist blog today.

Soumenkov said the attack site hosts a pair of frames, one that loads a webpage from a legitimate organization involved in the rebuilding and modernization of Iraq. In addition to the decoy page, a malicious page acts as a “primitive exploit pack,” Soumenkov said, determining the browser used to visit the attack site and then serves the appropriate exploit. Data collected is also sent to the attacker’s server.

“The exploits are located in separate webpages,” Soumenkov wrote. “Clients using Internet Explorer version 8 are served with about.htm, for other versions of the browser and for any other browser capable of running Java applets, the javascript code loads JavaApplet.html.”

The Java file loads a Java class file that exploits CVE-2013-0422, a vulnerability affecting Java 7u10 and older that bypasses the built-in sandbox in Java to allow remote code execution. Soumenkov said the exploit is coded slightly differently than others exploiting this vulnerability, including the Metasploit module, likely to avoid detection by security software. Oracle patched this vulnerability on Jan. 13; the applet was uploaded on Feb. 11, Soumenkov said.

Once the Java shellcode is executed, it launches an encrypted DLL  and writes it to a temporary Java directory with the name ntuser.bin. It then copies the rundll.32.exe system file to the same directory along with another executable that loads the main module of Miniduke.

Miniduke then reaches out to a pre-seeded Twitter post hosting a URL connecting it to the command and control server to download further instructions.

The IE 8 exploit behaves similarly, but exploits CVE-2012-4792, which was patched in December by Microsoft. A Metasploit module was released Dec. 29 and the Microsoft Security Update MS13-008 on Jan. 14. Like its Java counterpart, this exploit page was uploaded Feb. 11.

The shellcode used in the IE attack downloads a GIF image from the command and control server then decrypts the portable executable file hidden in the image.

“The PE file also appeared to be a modification of the Miniduke’s main backdoor module that uses the same Twitter URL as the Java payload,” Sumenkov wrote.

MiniDuke surfaced on Feb. 27 and originally were thought to be just a phishing campaign where targets were emailed malicious PDF files pretending to be Ukraine’s foreign policy and NATO membership plans, as well as information for a phony human rights seminar. The PDF attacks targeted CVE-2013-0640, an Adobe Reader vulnerability that had been patched a week earlier. Attackers were able to cope and move files, create new directories, kill processes and install additional malware. MiniDuke was the second successful Reader sandbox bypass.

MiniDuke stood out for researchers for its use of steganography to hide custom backdoor code, as well as using Twitter to reach URLs pointing to command and control servers. Another unique feature of MiniDuke was its use of a small downloader written in an old-school Assembler language used to gather system information unique to the compromised machine.

“This is a unique and very strange attack. The many different targets hit in separate countries, together with the high profile appearance of the decoy documents and the weird backdoor functionality indicate an unusual threat actor,” said the original Kaspersky and CrySyS report. “Some of the elements remind us of both Duqu and Red October, such as the minimalistic approach, hacked servers, encrypted channels but also the typology of the victims.”

Categories: Malware