'MiniDuke' Targeted Attacks Also Use Java, Internet Explorer Exploits

Researchers who first spotted a targeted attack campaign aimed at a small number of government bodes in 23 countries -- mainly in Europe -- say they've discovered two new attack vectors in the attacks.

The so-called "miniDuke" campaign first revealed by Kaspersky Lab and CrySys lab late last month initially was seen using a zero-day attack exploiting Adobe Reader 9, 10, and 11 (CVE-2013-0640) via spearphishing. The emails included convincing-looking PDF files that contained information on supposed human rights seminar information, Ukraine's foreign policy, and NATO membership plans.

But in the latest twist, Kaspersky and CrySys Lab found miniDuke employs two Web-based attack vectors as well. "Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets," said Igor Soumenkov, a Kaspersky Lab Expert, in a blog post today. "Of course, it is possible that other unknown infection vectors exist; we will continue to monitor the situation and update the blog with new data when appropriate."

The latest versions of Windows, Java, and Reader serve as basic protection from the miniDuke attacks, which Kaspersky Lab has seen attacking some 59 different victim organizations in countries including Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, the U.K., and the U.S.

Soumenkov said the Java exploit abuses the CVE-2013-0422 vulnerability in Java, and looks a lot like the one issued by Metasploit. "The code of the exploit is very similar to the one published in the Metasploit kit, but the inner class that disables the security manager is encoded differently, most likely to avoid detection. According to HTTP headers of the server, the applet was uploaded on February 11, 2013, one month after the Metasploit code was published and two days before Oracle issued a security alert regarding the vulnerability," Soumenkov said in his post.

The IE 8 exploit, meanwhile, goes after the CVE-2012-4792 flaw in the browser, and also resembles the corresponding Metasploit module for the bug. "The code is also very similar to the Metasploit version of the exploit, while the payload part of the shellcode has been written by the Miniduke authors re-using the backdoor's code. The Metasploit code was released on December 29, 2012 and the vulnerability was officially fixed on January 14, 2013 (MS13-008) while the page with the exploit was uploaded on February 11, 2013," Soumenkov said.

Kaspersky Lab's latest post on miniDuke is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.