Together with our partner CrySyS Lab, we’ve discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim’s PC.
While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.
The page hxxp://[c2_hostname]/groups/business-principles.html is used as an starting point for the attack. It consists of two frames, one for loading the decoy web page from a legitimate website (copied from http://www.albannagroup.com/business-principles.html), and another for performing malicious activities (hxxp://[c2_hostname]/groups/sidebar.html)
Source code of business-principles.html
Decoy webpage loaded
The web page “JavaApplet.html” loads “JavaApplet.class” that implements a Java exploit for the recently discovered vulnerability CVE-2013-0422. The code of the exploit is very similar to the one published in the Metasploit kit, but the inner class that disables the security manager is encoded differently, most likely to avoid detection. According to HTTP headers of the server, the applet was uploaded on February 11, 2013, one month after the Metasploit code was published and two days before Oracle issued a security alert regarding the vulnerability.
HEAD /groups/JavaApplet.class HTTP/1.1
HTTP/1.1 200 OK
Date: Fri, 08 Mar 2013 06:18:04 GMT
Last-Modified: Mon, 11 Feb 2013 09:50:31 GMT
The Java shellcode contains the complete payload, a Win32 DLL file encoded in hex. It decodes the binary and writes it to a Java temporary directory with name “ntuser.bin”. Then, it copies the system file “rundll32.exe” to the same directory with name “ntuser.exe” and runs it with “ntuser.bin” as a parameter, effectively loading the malicious DLL file. That DLL file is the main module of Miniduke, and it uses the URL http://twitter.com/TamicaCGerald to fetch commands.
Tweet with an encoded MiniDuke command
(decoded command URL: hxxp://www.artas.org/web/)
The web page “about.htm” implements an exploit for Microsoft Internet Explorer 8. It uses a vulnerability discovered at the end December 2012, CVE-2012-4792. The code is also very similar to the Metasploit version of the exploit, while the payload part of the shellcode has been written by the Miniduke authors re-using the backdoor’s code. The Metasploit code was released on December 29, 2012 and the vulnerability was officialy fixed on January 14, 2013 (MS13-008) while the page with the exploit was uploaded on February 11, 2013.
HEAD /groups/about.htm HTTP/1.1
HTTP/1.1 200 OK
Date: Fri, 08 Mar 2013 06:49:33 GMT
Last-Modified: Mon, 11 Feb 2013 09:50:47 GMT
The purpose of the shellcode is to download a GIF image file from URL hxxp://[c2_hostname]/groups/pic.gif, then search for and decrypt the hidden PE file inside of it. The PE file also appeared to be a modification of the Miniduke’s main backdoor module that uses the same Twitter URL as the Java payload.
We have discovered and analysed two previously unknown infector vectors that were used in the MiniDuke attacks. Although the exploits were already known and published at the time of the attack, they were still very recent and could have worked against designated targets. As previously recommended, updating Windows, Java and Adobe Reader to the latest versions should provide a basic level of defense against the known Miniduke attacks. Of course, it is possible that other unknown infection vectors exist; we will continue to monitor the situation and update the blog with new data when appropriate.
Leave a reply