Israel is one of 23 countries targeted by a just-born virus that cleverly exploits Adobe Reader PDF files to install a new, highly customized malicious program on computers. Dubbed “MiniDuke” by anti-virus groups Kaspersky Lab, the virus has been used in the past week to attack dozens of servers in government organizations and institutions worldwide.
So far, Kaspersky said Wednesday, MiniDuke has managed to cause significant cyber-damage to government organizations in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think tanks, and a healthcare provider in the United States were also compromised, as was a prominent research foundation in Hungary.
The MiniDuke attack has the hallmarks of a deliberate, highly sophisticated campaign to attack government and institutional computers, using social engineering techniques to spread itself — with notable success, Kaspersky said. The initial attack is undertaken through PDF documents that are relevant and contain well-crafted content, discussing issues such as Ukrainian foreign policy and NATO membership plans.
Once opened, the documents drop a very small, nearly undetectable downloader program into the user’s system, written in Assembler – the basic building block of computer commands, requiring a very high level of sophistication to write. When loaded at system boot, the downloader uses a set of mathematical calculations to determine the computer’s unique fingerprint, and in turn uses this data to uniquely encrypt its communications later. It is also programmed to avoid analysis by anti-bugging and anti-virus tools.
If it finds certain programs running that can detect its presence, the downloader remains idle – waiting for the moment when the detector tools are not operating, at which point it moves on to a further stage. At that point, it starts searching Twitter for specific tweets that contain encrypted URLs that allow the hackers access to the computer. If Twitter is not in use, the virus can use Google Search to find what it needs. Once connected to the encrypted URLs, the virus downloads other malware, eventually putting the computer under the control of servers in Panama and Turkey.
Commenting on the attack, Eugene Kaspersky, who heads Kaspersky Lab, said that it was the most sophisticated cyber-attack he has observed in some time.
“This is a very unusual cyberattack,” he said. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld. These elite, ‘old school’ malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.
“The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous,” Kaspersky added.