MiniDuke

From Botnets.fr
Jump to: navigation, search

(Botnet) Link to the old Wiki page : [1] / Google search: [2]

MiniDuke
Alias SandyEva
Group Spying
Parent
Sibling
Family
Relations Variants:

Sibling of:
Parent of:
Distribution of:
Campaigns:

Target
Origin
Distribution vector
UserAgent Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; .NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2)
CCProtocol Twitter (Centralized)
Activity 2013 /
Status
Language
Programming language
Operation/Working group

Introduction

  • Infection by a crafted PDF file (CVE-2013-0640)
  • 20 kB downloader (crafted each time specifically for the attacked systems), which calculates a unique fingerprint that is also used for encryption
  • Receives encrypted backdoors obfuscated within GIF files
  • Which then fetch a larger backdoor that carries out the actual spying activities
  • Kaspersky identified 59 unique victims in 23 countries (Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States)
  • Related to ItaDuke

Features

CVE: CVE-2013-0640

Associated images

Checksums / AV databases

Publications

 AuthorEditorYear
Analysis of a stage 3 Miniduke malware sampleCIRCL2013
F-Secure has discovered MiniDuke malware samples in the wildPierluigi Paganini2014
MinidukeCrySyS Lab2013
Targeted attacks and UkraineMikko Hypponen
Timo Hirvonen
F-Secure2014
The MiniDuke mystery: PDF 0-day government spy assembler 0x29A micro backdoorGReATKaspersky lab2013