Targeted attacks and Ukraine
(Publication) Google search: [1]
| Targeted attacks and Ukraine | |
|---|---|
| Botnet | MiniDuke |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2014 / 2014-04-01 |
| Editor/Conference | F-Secure |
| Link | http://www.f-secure.com/weblog/archives/00002688.html (Archive copy) |
| Author | Mikko Hypponen, Timo Hirvonen |
| Type | Blogpost |
Abstract
“ In 2013, a series of attacks against European governments was observed by Kaspersky Lab. The malware in question, known as MiniDuke, had many interesting features: it was tiny in size at 20KB. It used Twitter accounts for Command & Control and located backup control channels via Google searches. It installed additional backdoors onto the system via GIF files that embedded the malware.
As most APT attacks, MiniDuke was distributed via innocent looking document files that were emailed to targets. In particular, PDF files that exploited the CVE-2013-0640 vulnerability were used.
To investigate similar cases, we have created a tool for extracting the payloads and the decoy documents from MiniDuke PDF files. With this tool we were able to process a large batch of potential MiniDuke samples last week. While browsing the set of extracted decoy documents, we noticed several ones that had references to Ukraine. This is interesting considering the current crisis in the area.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR1382,
editor = {F-Secure},
author = {Mikko Hypponen, Timo Hirvonen},
title = {Targeted attacks and Ukraine},
date = {01},
month = Apr,
year = {2014},
howpublished = {\url{http://www.f-secure.com/weblog/archives/00002688.html}},
}