New attack unleashed MINIDUKE ,The governments of at least 20 countries may have fallen victim to a sophisticated new cyber-attack. Security experts believe the hackers are attempting to steal political intelligence.MiniDuke has infected government entities in the Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think-tanks, and a healthcare provider in the US were also compromised. A prominent research organisation in Hungary was also infected with the mystery malware. An analysis of logs from command servers, suggest the malware has hit 59 unique victims in 23 countries including locations as diverse as Brazil, Israel, Germany, Lebanon, Spain, the UK and Japan.
The governments of at least 20 countries may have fallen victim to a sophisticated new cyber-attack. Security experts believe the hackers are attempting to steal political intelligence.
Computer security firms Kaspersky Lab and CrySyS Lab discovered that the malware, dubbed "MiniDuke," targeted government computers in the Czech Republic, Ireland, Portugal and Romania along with think tanks, research institutes and healthcare providers in the United States.
“The technical indicators from our analysis show this is a new type of threat actor that hasn't been seen before,” Kurt Baumgartner, a senior security researcher with Kaspersky Lab.
but its very difficult to identify the hackers so their locations are on the trace.The threat operates on low-level code to stay hidden, and uses Twitter and Google to get instructions and updates. It allegedly infected PCs when ‘victims’ opened a cleverly disguised Adobe PDF attachment to an email.
“The high level of encryption in the malware and the flexible system it used to communicate with the C2 via Twitter and Google indicates this was a strategically planned operation,” Baumgartner said.
“This is a very unusual cyberattack,” said Eugene Kaspersky, founder and chief exec of Kaspersky Lab. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld."
Its is one of the most amazing technology as its size is as small as hay but it is as deadly as warfare missile.
Their mode of propogation Booby-trapped documents that formed the theme of the attack featured fabricated human rights seminar information (ASEM) and Ukraine’s foreign policy and NATO membership plans. These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing Adobe's sandbox in the process. The toolkit used to create these exploits were the same as those that featured in a recent attack reported by FireEye, even though these latter assaults featured a different attack payload.
"Some of the elements remind us of cyber-espionage tools such as Duqu or Red October, such as the minimalistic approach, hacked servers, encrypted channels and also the typology of the victims. The amount of high profile victims in this attack is also notable and puts it on the same level with other advanced campaigns such as Red October."
How effective?
The malware backdoor connects to two servers, one in Panama and one in Turkey, to receive instructions from the attackers, according to a joint analysis of the malware by Kaspersky Lab and Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS), who previously worked with their Russian counterparts in analysing Flame, another cyber-espionage tool.
reference :- http://www.theregister.co.uk/2013/02/27/miniduke/
http://gadgets.ndtv.com/internet/news/nato-european-governments-hit-by-miniduke- cyber-attack-336476
The governments of at least 20 countries may have fallen victim to a sophisticated new cyber-attack. Security experts believe the hackers are attempting to steal political intelligence.
Computer security firms Kaspersky Lab and CrySyS Lab discovered that the malware, dubbed "MiniDuke," targeted government computers in the Czech Republic, Ireland, Portugal and Romania along with think tanks, research institutes and healthcare providers in the United States.
“The technical indicators from our analysis show this is a new type of threat actor that hasn't been seen before,” Kurt Baumgartner, a senior security researcher with Kaspersky Lab.
but its very difficult to identify the hackers so their locations are on the trace.The threat operates on low-level code to stay hidden, and uses Twitter and Google to get instructions and updates. It allegedly infected PCs when ‘victims’ opened a cleverly disguised Adobe PDF attachment to an email.
“The high level of encryption in the malware and the flexible system it used to communicate with the C2 via Twitter and Google indicates this was a strategically planned operation,” Baumgartner said.
“This is a very unusual cyberattack,” said Eugene Kaspersky, founder and chief exec of Kaspersky Lab. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld."
Its is one of the most amazing technology as its size is as small as hay but it is as deadly as warfare missile.
Their mode of propogation Booby-trapped documents that formed the theme of the attack featured fabricated human rights seminar information (ASEM) and Ukraine’s foreign policy and NATO membership plans. These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing Adobe's sandbox in the process. The toolkit used to create these exploits were the same as those that featured in a recent attack reported by FireEye, even though these latter assaults featured a different attack payload.
"Some of the elements remind us of cyber-espionage tools such as Duqu or Red October, such as the minimalistic approach, hacked servers, encrypted channels and also the typology of the victims. The amount of high profile victims in this attack is also notable and puts it on the same level with other advanced campaigns such as Red October."
How effective?
All this and Twitter functionality, too
Kaspersky Lab’s experts, in partnership with CrySys Lab, have analysed the attacks and published preliminary findings suggesting whoever created the malware was skilled and well-aware of the techniques used by anti-virus analysts. For one thing, the malware programmed to avoid analysis by a hardcoded set of tools in certain environments like VMware by laying dormant if it finds itself running in a virtualised environment.
If the target’s system meets the pre-defined requirements, the malware will use surreptitiously use Twitter to start looking for specific tweets from pre-made accounts, providing the encrypted locations of URLs associated with the spyware botnet's command and control channels. The same functionality allows to loading of additional backdoors onto compromised systems.
MiniDuke’s creators also provided a dynamic backup system. If Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next command and control node.
Once an infected system locates the C&C nodes, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim’s machine. Once they are downloaded to the machine they can download a larger backdoor that carries out several basic actions, such as copy file, move file, remove file, make directory, kill process, and, of course, download and execute new malware.
The malware backdoor connects to two servers, one in Panama and one in Turkey, to receive instructions from the attackers, according to a joint analysis of the malware by Kaspersky Lab and Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS), who previously worked with their Russian counterparts in analysing Flame, another cyber-espionage tool.
reference :- http://www.theregister.co.uk/2013/02/27/miniduke/
http://gadgets.ndtv.com/internet/news/nato-european-governments-hit-by-miniduke- cyber-attack-336476
No comments:
Post a Comment