MiniDuke at least 21 months old: Bitdefender

Older strains of espionage malware found in logs; questions of origin raised

Tags: BitDefender ( crimeKaspersky LabRomaniaRussia
  • E-Mail
MiniDuke at least 21 months old: Bitdefender Miniduke targeted government institutions through an unpatched Adobe Reader vulnerability.
By  Stephen McBride Published  March 5, 2013

Cyber espionage malware MiniDuke - publicised last week by Kaspersky Lab - has been operating for at least 21 months, Romanian Web security specialist Bitdefender has revealed.

MiniDuke was found to have targeted governments in Ireland, Romania, Portugal, Belgium and the Czech Republic, according to a Guardian report.

Moscow-based Kaspersky Lab characterised the attack as employing "old-school tactics. It exploited a vulnerability in Adobe Reader that has since been patched. The attackers would bombard institutions with emails, disguising a PDF attachment as something a government employee was likely to open, such as a memorandum on foreign policy or human rights.

Opening the document would install the malware, but despite being able to report that MiniDuke's designers operated servers in Turkey and Panama, Kaspersky Lab was unable to provide any information about what the ultimate aim of the incursion was.

"It's currently unclear what the attackers were after. But the interest in these high-profile victims is quite obvious," said Vitali Kamluk, chief malware expert at Kaspersky Lab.

"This is a very unusual cyber attack," said Eugene Kaspersky, founder and chief executive, Kaspersky Lab.

"I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyber world."

By trawling its own detection logs Bitdefender found samples of the MiniDuke malware dated May 2012 and yet earlier entries in June 2011. The older strain raises questions over the origins of the attackers because it retrieves time data from a clock system in a US Navy server. The more recent versions, such as those found by Kaspersky, were using a clock set to a Chinese time zone, according to Bitdefender.

"The discovery of this older MiniDuke malware strain raises questions about the origin of the 2012 samples and the malware as a whole," said Bitdefender chief security strategist Catalin Cosoi.

"The switch from a US Navy clock to a Chinese clock suggests the malware's designers are simply throwing up a smoke cloud as to their identity."

But Cosoi still believes the prevailing theory that the malware was intended to steal information from government systems.

"MiniDuke was clearly designed as a cyber-espionage tool to specifically target key sensitive government data," he said. "This casts a degree of doubt on who designed MiniDuke."

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code