MINI-DUKE malware.
Discovered February 27 2013.
First known sample: June 2011.
Risk: Document exfiltration.
Spread thru infected PDF file which deposits dropper.
Once installed, the malware calls home using a URL found via Twitter or Google search query. When successfully connected, new updates or payloads are installed under the disguise of .gif images.
Spread by social engineering: malicious PDFs sent by email.
Within the installed malware, the query strings are encrypted.
Infects Windows (via rundll32)
Runs briefly after each boot
Has a mechanism for adding modules & updates
Includes commands for:
mv - Moves a file. Uses MoveFileA api.
cp - Copies a file. Uses CopyFileA api.
rm - Deletes a file. Uses DeleteFileA api.
pwd - Gets current dir. Uses GetCurrentDirectoryA api.
cd - Sets current dir. Uses SetCurrentDirectoryA api.
rmdir - Removes dir. Uses RemoveDirectoryA api.
mkdir - Creates a dir. Uses CreateDirectoryA api.
pskill - Kills process. Uses OpenProcess, TerminateProcess apis.
This is how the malware exfiltrates documents from target computers.
-
-
-
-
*
-
-
-
The Wilton Park and Ukraine's NATO Membership Action Plan Debates documents in >>358536 are .png captures of forged PDF documents that were used during the social engineering phase to intiially drop the malware on target systems.
-
-
-
-
*
-
-
-
So these PDF documents shed light on what kind of systems were targeted by MINI-DUKE. These topics would be of interest to governments and military.