The Miniduke Attacks are Back in Force

July 3, 2014

LONDON, July 3, 2014 /PRNewswire/ –

Kaspersky Lab researchers have discovered that the old style Miniduke implants from
2013 are still around and are being used in active campaigns that target governments and
other entities. In addition, Miniduke’s new platform – BotGenStudio – may be used not only
by APT style attackers, but by law enforcement agencies and traditional criminals too.

Although the Miniduke APT actor stopped its campaign, or at least decreased its
intensity, in the wake of the announcement
[https://www.securelist.com/en/blog/208194129/The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_0x29A_Micro_Backdoor ]
made by Kaspersky Lab with its partner, CrySyS Lab, last
year, in the beginning of 2014 they once again resumed attacks in full force in early
2014. This time around we have noticed changes in the way attackers act and tools they

The “new” Miniduke backdoor

After the 2013 exposure, the actor behind Miniduke started using another custom
backdoor, capable of stealing various types of information. The malware spoofs popular
applications which are designed to run in the background, including file information,
icons and even file size.

The main “new” Miniduke backdoor (aka TinyBaron or CosmicDuke) is compiled using a
customisable framework called BotGenStudio, which has flexibility to enable or disable
components when the bot is constructed. The components can be divided into 3 groups:

1. Persistence – Miniduke/CosmicDuke is capable of starting via Windows Task
Scheduler, a customised service binary that spawns a new process set in the special
registry key or is launched when the user is away and screensaver is activated.

2. Reconnaissance – The malware is able to steal a variety of information, including
files based on extensions and file name keywords, like *.exe; *.ndb; *.mp3; *.avi; *.rar;
*.docx; *.url; *.xlsx; *.pptx; *psw*; *pass*; *login*; *admin*; *vpn; *.jpg; *.txt; *.lnk;
*.dll; *.tmp., etc.

The backdoor has many other capabilities including: keylogger, general network
information harvester, screen grabber, clipboard grabber; Microsoft Outlook, Windows
Address Book stealer, password stealer for Skype, Google Chrome, Google Talk, Opera,
TheBat!, Firefox, Thunderbird, Protected Storage secrets harvester, Certificate/private
keys exporter, etc.

3. Exfiltration – The malware implements several network connectors to exfiltrate
data, including uploading data via FTP and three various variants of HTTP communication

Storing exfiltrated data is another interesting feature of MiniDuke. When a file is
uploaded to the C&C server it is split in small chunks (~3Kb), which are compressed,
encrypted and placed in a container to be uploaded to the server. If the file is large
enough it may be placed into several different containers that are uploaded independently.
All these layers of additional processing guarantees that very few researchers will be
able to get to the original data.

Unique features

Each victim of MiniDuke is assigned a unique ID which allows the pushing of specific
updates to an individual victim.

For self-protection, it uses a custom obfuscated loader which heavily consumes CPU
resources before passing execution to the payload. Doing so, they prevented antimalware
solutions from analysing the implant and detect malicious functionality via emulator. It
also complicates analysis of the malware.

Main Findings:

C&Cs – twofold purpose. During the analysis, Kaspersky Lab experts were able to obtain
a copy of one of the CosmicDuke command and control servers. It appears it was used not
only for communication between actors behind the CosmicDuke and infected PCs, but also for
other operations by the group members including hacking into other servers on the Internet
with the goal of collecting everything that can lead to potential targets. For this
purpose, the C&C was equipped with range of publicly available hacking tools for searching
for vulnerabilities in websites using different engines and compromising it.

Victims. Interestingly, while the old style Miniduke implants were used to target
mostly government entities, the new style CosmicDuke implants have a different typology of
victims. Other than governments, there are diplomatic organisations, energy sector,
telecom operators, military contractors and individuals involved in the traffic and
selling of illegal and controlled substances.

We have analysed both CosmicDuke and old style Miniduke servers. From the latter ones
we were able to extract a list of victims and their corresponding countries, and so
experts have found out that users of the old style Miniduke servers were interested in
targets in Australia, Belgium, France, Germany, Hungary, Netherlands, Spain, Ukraine, the
United States. Victims in at least three of these countries belong to the “government”

One of the analysed CosmicDuke servers had a long list of victims (139 unique IPs)
starting from April 2012. In terms of geographic distribution and top 10 countries,
victims belong to Georgia, Russia, US, Great Britain, Kazakhstan, India, Belarus, Cyprus,
Ukraine, Lithuania. The attackers were also slightly interested in expanding their
operations and scanned IP ranges and servers of Republic of Azerbaijan, Greece and

Commercial platform. The most unusual victims discovered were individuals which
appeared to be involved in the traffic and reselling of controlled and illegal substances,
such as steroids and hormones. These victims have been observed only in Russia.

“It’s a bit unexpected – normally, when we hear about APTs, we tend to think they are
nation-state backed cyber espionage campaigns. But we see two explanations for this. One
possibility is that malware platform BotGenStudio used in Miniduke is also available as a
so-called “legal spyware” tool, similar to others, such as HackingTeam’s RCS, widely used
by law enforcement. Another possibility is that it’s simply available in the underground
and purchased by various competitors in the pharma business to spy on each other” -
commented Vitaly Kamluk, Principal Security Researcher at the Global Research & Analysis
Team, Kaspersky Lab.

Attribution and Artifacts. Although the attackers use English in several places
indicating knowledge of this language, there are certain indicators – like strings in a
block of memory appended to the malware component used for persistence – which make
experts believe they are not native English speakers.

Kaspersky Lab experts were also able to indicate the activity of the
Miniduke/CosmicDuke attackers on a Day-of-the-Week basis. It appears the attackers follow
the Mon-Fri work week, however, they are not holding back from working the weekends from
time to time. In terms of activity hours, the attackers appears to be working between
6am-7pm GMT. Most of the work is done between 6am and 4pm though.

Detection. Kaspersky Lab products detect CosmicDuke backdoor as
Backdoor.Win32.CosmicDuke.gen and Backdoor.Win32.Generic.

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection
solutions. The company is ranked among the world’s top four vendors of security solutions
for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained
an innovator in IT security and provides effective digital security solutions for large
enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the
United Kingdom, currently operates in almost 200 countries and territories across the
globe, providing protection for over 300 million users worldwide. Learn more at


* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue
by Vendor, 2012. The rating was published in the IDC report “Worldwide Endpoint Security
2013-2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked
software vendors according to earnings from sales of endpoint security solutions in 2012.

        Editorial contact:
        Berkeley PR
        Lauren White
        Telephone: +44(0)118-909-0909
        1650 Arlington Business Park
        RG7 4SA, Reading

        Kaspersky Lab UK
        Ruth Knowles
        Telephone: +44(0)7590-440-433
        2 Kingdom Street
        W2 6BD, London

SOURCE Kaspersky Lab

Source: PR Newswire

comments powered by Disqus