Home / / MiniDuke at least 21 months old: Bitdefender

MiniDuke at least 21 months old: Bitdefender

Older strains of espionage malware found in logs; questions of origin raised

MiniDuke at least 21 months old: Bitdefender
Miniduke targeted government institutions through an unpatched Adobe Reader vulnerability.

Cyber espionage malware MiniDuke - publicised last week by Kaspersky Lab - has been operating for at least 21 months, Romanian Web security specialist Bitdefender has revealed.

MiniDuke was found to have targeted governments in Ireland, Romania, Portugal, Belgium and the Czech Republic, according to a Guardian report.

Moscow-based Kaspersky Lab characterised the attack as employing "old-school tactics. It exploited a vulnerability in Adobe Reader that has since been patched. The attackers would bombard institutions with emails, disguising a PDF attachment as something a government employee was likely to open, such as a memorandum on foreign policy or human rights.

Opening the document would install the malware, but despite being able to report that MiniDuke's designers operated servers in Turkey and Panama, Kaspersky Lab was unable to provide any information about what the ultimate aim of the incursion was.

"It's currently unclear what the attackers were after. But the interest in these high-profile victims is quite obvious," said Vitali Kamluk, chief malware expert at Kaspersky Lab.

"This is a very unusual cyber attack," said Eugene Kaspersky, founder and chief executive, Kaspersky Lab.

"I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyber world."

By trawling its own detection logs Bitdefender found samples of the MiniDuke malware dated May 2012 and yet earlier entries in June 2011. The older strain raises questions over the origins of the attackers because it retrieves time data from a clock system in a US Navy server. The more recent versions, such as those found by Kaspersky, were using a clock set to a Chinese time zone, according to Bitdefender.

"The discovery of this older MiniDuke malware strain raises questions about the origin of the 2012 samples and the malware as a whole," said Bitdefender chief security strategist Catalin Cosoi.

"The switch from a US Navy clock to a Chinese clock suggests the malware's designers are simply throwing up a smoke cloud as to their identity."

But Cosoi still believes the prevailing theory that the malware was intended to steal information from government systems.

"MiniDuke was clearly designed as a cyber-espionage tool to specifically target key sensitive government data," he said. "This casts a degree of doubt on who designed MiniDuke."

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.