Information Warfare: More High Grade Malware Showing Up


March 13, 2013: Yet another Internet based attack against specific civilian, military, and government officials has been discovered and dissection continues as more layers are revealed. This one is a clever piece of malware called MiniDuke and it is directed at specific individuals in Ukraine, Belgium, Portugal, Romania, the Czech Republic, the United States, Hungary, and Ireland. The targets in the United States and Hungary appear, so far, to have only been non-government organizations.

MiniDuke delivers a secret software program, via an infected PDF file that monitors PCs it gets into, that passes back keyboard activity and files to servers in Panama and Turkey. MiniDuke is unique in terms of the attention paid to keeping its presence secret from network security systems. MiniDuke stays dormant until it senses it is not being monitored, then seeks out a specific Twitter feed that the hacker uses to communicate with infected machines.

MiniDuke carried out its attack using an official looking email, with a PDF file attached, sent to specific individuals. It is an email the recipients were not expecting. This is known in the trade as "spear fishing" (or "spear phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends data from the email recipient's PC to the spear fisher's computer. In the last few years an increasing number of military, corporate, and government personnel have received these official-looking emails with a PDF document attached and asking for prompt attention.

MiniDuke is one of the most sophisticated spear phishing attacks seen so far. It shares some characteristic of professional American–Israeli efforts like Duqu but also incorporates some new ideas (heavy use of Twitter, a very gradual infection process, and lots of scouting). It’s unclear where it came from, or at least no one has released any information on that yet. This may mean that the author has been identified and the police are closing in. Or probably not, as MiniDuke appears to be the result of a major effort.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close