Hackers used a highly customized piece of malware that takes advantage of a recently revealed Adobe flaw to spy on governments and institutions worldwide, security firm Kaspersky Lab announced Wednesday.
The 59 victims in 23 countries include government entities in Ireland, Belgium, Portugal, Ukraine and the Czech republic, and a research foundation in Hungary. A think tank, a research institute and a healthcare provider in the U.S. were also targeted.
The attacks focus on an Adobe flaw discovered earlier this month by the security firm FireEye. The malicious malware, dubbed MiniDuke, connects to servers in Panama and Turkey. The attacks are still going on, though Adobe released two sets of security updates, on Feb. 20 and on Tuesday, to patch the flaw.
How MiniDuke Works
The attackers sent well-crafted content in PDF files that fabricated human rights seminar information, NATO’s membership plans and information on Ukraine’s foreign policy to their victims, Kaspersky said. These files were rigged with exploits that attacked Adobe Reader versions 9, 10 and 11, bypassing the application’s sandbox.
When a victim clicks on an infected PDF, it drops a 20 KB downloader onto the victim’s PC. This downloader contains a customized backdoor written in the Assembler language. When the PC is booted up, the downloader uses a set of mathematical calculations to determine the computer’s unique fingerprint, which it will use for communications later.
If the target system meets certain predefined requirements, the malware will log on to Twitter without the knowledge of the PC’s owner, and will look for specific tweets from accounts set up by the operators of the malware’s command and control center.
The tweets maintain specific tags labeling encrypted URLs for the backdoors. These URLs provide access to the command and control centers, which then provide potential commands and transfer additional backdoors as encrypted GIF files. These files appear as pictures on the victim’s PC.
MiniDuke’s creators may have provided a dynamic backup system that flies under the radar — if Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the command and control centers, Kaspersky Lab noted. The operators can constantly change how their backdoors retrieve further commands or malware code as needed.
When these additional backdoors are downloaded to a victim’s PC, they can fetch a larger backdoor which can copy, move and remove files, make directories, and download and execute new malware and other tools.
The Need to Patch Systems
“The Reader and Acrobat patches we put out last week will ensure users are safe from the MiniDuke campaign, so it’s important that users update to the latest version if they haven’t done so already,” Brad Arkin, senior director of product security at Adobe, told TechNewsWorld.
It’s possible that the malware authors can continue to exploit the Adobe vulnerability because users haven’t yet applied the patches Adobe has issued.