English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Miniduke: web based infection vector

Igor Soumenkov
Kaspersky Lab Expert
Posted March 11, 11:43  GMT
Tags: Malware Descriptions, Vulnerabilities and exploits, Zero-day vulnerabilities
0.5
 

Together with our partner CrySyS Lab, we've discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim's PC.

While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.

The page hxxp://[c2_hostname]/groups/business-principles.html is used as an starting point for the attack. It consists of two frames, one for loading the decoy web page from a legitimate website (copied from http://www.albannagroup.com/business-principles.html), and another for performing malicious activities (hxxp://[c2_hostname]/groups/sidebar.html)


Source code of business-principles.html


Decoy webpage loaded

The second webpage, "sidebar.html" contains 88 lines, mostly JavaScript code, and works as a primitive exploit pack. Its code identifies the victim's browser and then serves one of two exploits. It also sends collected browser data to another script by sending a POST request to "hxxp://[c2_hostname]/groups/count/write.php".

The exploits are located in separate web pages. Clients using Internet Explorer version 8 are served with "about.htm", for other versions of the browser and for any other browser capable of running Java applets, the JavaScript code loads "JavaApplet.html".


JavaScript code inside sidebar.html page

Java exploit

The web page "JavaApplet.html" loads "JavaApplet.class" that implements a Java exploit for the recently discovered vulnerability CVE-2013-0422. The code of the exploit is very similar to the one published in the Metasploit kit, but the inner class that disables the security manager is encoded differently, most likely to avoid detection. According to HTTP headers of the server, the applet was uploaded on February 11, 2013, one month after the Metasploit code was published and two days before Oracle issued a security alert regarding the vulnerability.

HEAD /groups/JavaApplet.class HTTP/1.1
Host: [c2_hostname]

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-Powered-By: ASP.NET
Date: Fri, 08 Mar 2013 06:18:04 GMT
Content-Type: application/octet-stream
Accept-Ranges: bytes
Last-Modified: Mon, 11 Feb 2013 09:50:31 GMT
ETag: "f794173b3d8ce1:e96"
Content-Length: 52408

The Java shellcode contains the complete payload, a Win32 DLL file encoded in hex. It decodes the binary and writes it to a Java temporary directory with name "ntuser.bin". Then, it copies the system file "rundll32.exe" to the same directory with name "ntuser.exe" and runs it with "ntuser.bin" as a parameter, effectively loading the malicious DLL file. That DLL file is the main module of Miniduke, and it uses the URL http://twitter.com/TamicaCGerald to fetch commands.


Tweet with an encoded MiniDuke command
(decoded command URL: hxxp://www.artas.org/web/)

IE8 exploit

The web page "about.htm" implements an exploit for Microsoft Internet Explorer 8. It uses a vulnerability discovered at the end December 2012, CVE-2012-4792. The code is also very similar to the Metasploit version of the exploit, while the payload part of the shellcode has been written by the Miniduke authors re-using the backdoor's code. The Metasploit code was released on December 29, 2012 and the vulnerability was officialy fixed on January 14, 2013 (MS13-008) while the page with the exploit was uploaded on February 11, 2013.

HEAD /groups/about.htm HTTP/1.1
Host: [c2_hostname]

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-Powered-By: ASP.NET
Date: Fri, 08 Mar 2013 06:49:33 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Mon, 11 Feb 2013 09:50:47 GMT
ETag: "b98150443d8ce1:e96"
Content-Length: 3842

The purpose of the shellcode is to download a GIF image file from URL hxxp://[c2_hostname]/groups/pic.gif, then search for and decrypt the hidden PE file inside of it. The PE file also appeared to be a modification of the Miniduke's main backdoor module that uses the same Twitter URL as the Java payload.

Conclusions

We have discovered and analysed two previously unknown infector vectors that were used in the MiniDuke attacks. Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets. As previously recommended, updating Windows, Java and Adobe Reader to the latest versions should provide a basic level of defense against the known Miniduke attacks. Of course, it is possible that other unknown infection vectors exist; we will continue to monitor the situation and update the blog with new data when appropriate.


2 comments

Oldest first
Threaded view
 

mark117

2013 Mar 12, 11:47
0
 

Miniduke


HI Igor Soumenkov

Very interesting article on the mini duke exploit,

what i was curious about is that you say the exploit is active on ie8 right, but you say that it could also be exploited on other browsers too, i currently have Firefox 19.2 and ie10 i run minimal plugins other than my PURE 3.0 ones and ad-block in Firefox, sorry went off then, what i was asking is the exploit possibly able to work on ie10 and say Firefox 19.0 or other versions,
thank you
mark117

Reply    

Galoget Latorre

2013 Mar 14, 06:43
0
 

Exploit Shield

Hi Igor,

Very interesting and good post, I have a question, at present I have installed "ExploitShield Browser Edition", I'm still vulnerable to such exploits?, and these exploits are dependant of the victim OS or only the Browser?

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog