MiniDuke Malware Used in Targeted Attacks Against Ukraine

Bait document used in attacks against Ukraine

Since the Ukraine crisis started, security experts have revealed spotting cyberattacks aimed at the country’s networks. Now, researchers from F-Secure say they’ve uncovered a number of Ukraine-related documents that appear to have been used last year as a decoy to distribute MiniDuke malware.

The existence of the MiniDuke cyber espionage campaign, which targeted European governments, was revealed in February 2013 by Kaspersky. At the time, experts said that cybercriminals had been using a PDF zero-day to trick targets into installing malware.

For their investigation of MiniDuke attacks, F-Secure researchers have developed a tool that extracts the payloads from the decoy PFD documents in an effort to find similar cases. They’ve uncovered a series of documents referencing Ukraine.

Many of the decoy documents have been taken from public sources. However, there’s one file that doesn’t appear to be publicly available.

It’s a letter from the First Deputy Minister for Foreign Affairs of Ukraine, Ruslan Demchenko, to the heads of foreign diplomatic institutions in the country regarding the 100th anniversary of World War I.

The fact that the document is not publicly available could indicate that the MiniDuke attackers had or still have access to the systems of Ukraine’s Ministry of Foreign Affairs. However, for the time being, F-Secure doesn’t want to jump to any conclusions.

“We don’t know where the attacker got this decoy file from. We don’t know who was targeted by these attacks. We don’t know who’s behind these attacks,” noted F-Secure’s Mikko Hypponen in a blog post.

“What we do know is that all these attacks used the CVE-2013-0640 vulnerability and dropped the same backdoor (compilation date 2013-02-21).”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s