“To investigate similar cases, we have created a tool for extracting the payloads and the decoy documents from MiniDuke PDF files. With this tool we were able to process a large batch of potential MiniDuke samples last week. While browsing the set of extracted decoy documents, we noticed several ones that had references to Ukraine. This is interesting considering the current crisis in the area.” reported Mikko Hypponen, the CTO of security research firm F-Secure.
The documents explicitly refer political issues like the recent crisis in the Ukraine or NATO informative in the attempt to circumvent the victims, F-Secure reported, for example, the existence of a bogus document signed by Ruslan Demchenko, the First Deputy Minister for Foreign Affairs of Ukraine.
“The letter is addressed to the heads of foreign diplomatic institutions in Ukraine. When translated, it’s a note regarding the 100th year anniversary of the 1st World War.” states Hypponen.
The use of such kind of documents suggests that attackers have had access to the Ukrainian Ministry of Foreign Affairs, anyway they have no problem with the language used.
“We don’t know where the attacker got this decoy file from,” “We don’t know who was targeted by these attacks. We don’t know who’s behind these attacks. What we do know is that all these attacks used the CVE-2013-0640 vulnerability and dropped the same backdoor (compilation date 2013-02-21).”
Who is behind the attack?
It’s impossible to speculate on the real nature of the attackers, the problem of attribution is hard to approach, especially when the attackers demonstrate to be able to provide high level APT with sophisticated evasion techniques.
As remarked by Hypponen during the recent TrustyCon conference there is the risk that a Government-built malware and cyber weapons will run out of control, every government could be able to make a reverse engineering of source code of malware like Miniduke and could be used by state-sponsored hackers and cyber criminals, two categories separated by a thin line.
(Security Affairs – search engine, malware)
March 4th, 2014UPDATE : “These examples were found by mining old samples. The cases above are from 2013. So far, we haven’t found Ukraine-related Miniduke samples that would have been used in 2014.” reported F-Secure.