Together with our partner CrySyS Lab, we've discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim's PC.
While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.
The page hxxp://[c2_hostname]/groups/business-principles.html is used as an starting point for the attack. It consists of two frames, one for loading the decoy web page from a legitimate website (copied from http://www.albannagroup.com/business-principles.html), and another for performing malicious activities (hxxp://[c2_hostname]/groups/sidebar.html)
Source code of business-principles.html
Decoy webpage loaded
HEAD /groups/JavaApplet.class HTTP/1.1
HTTP/1.1 200 OK
Date: Fri, 08 Mar 2013 06:18:04 GMT
Last-Modified: Mon, 11 Feb 2013 09:50:31 GMT
The Java shellcode contains the complete payload, a Win32 DLL file encoded in hex. It decodes the binary and writes it to a Java temporary directory with name "ntuser.bin". Then, it copies the system file "rundll32.exe" to the same directory with name "ntuser.exe" and runs it with "ntuser.bin" as a parameter, effectively loading the malicious DLL file. That DLL file is the main module of Miniduke, and it uses the URL http://twitter.com/TamicaCGerald to fetch commands.
Tweet with an encoded MiniDuke command
(decoded command URL: hxxp://www.artas.org/web/)
HEAD /groups/about.htm HTTP/1.1
HTTP/1.1 200 OK
Date: Fri, 08 Mar 2013 06:49:33 GMT
Last-Modified: Mon, 11 Feb 2013 09:50:47 GMT
The purpose of the shellcode is to download a GIF image file from URL hxxp://[c2_hostname]/groups/pic.gif, then search for and decrypt the hidden PE file inside of it. The PE file also appeared to be a modification of the Miniduke's main backdoor module that uses the same Twitter URL as the Java payload.
We have discovered and analysed two previously unknown infector vectors that were used in the MiniDuke attacks. Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets. As previously recommended, updating Windows, Java and Adobe Reader to the latest versions should provide a basic level of defense against the known Miniduke attacks. Of course, it is possible that other unknown infection vectors exist; we will continue to monitor the situation and update the blog with new data when appropriate.
2013 Mar 12, 11:47
2013 Mar 14, 06:43