Anonymous ID: ab6676 Feb. 12, 2018, 8:03 p.m. No.358924   🗄️.is 🔗kun   >>8986 >>9108 >>0271

MINI-DUKE malware.

 

Discovered February 27 2013.

First known sample: June 2011.

Risk: Document exfiltration.

 

Spread thru infected PDF file which deposits dropper.

Once installed, the malware calls home using a URL found via Twitter or Google search query. When successfully connected, new updates or payloads are installed under the disguise of .gif images.

Spread by social engineering: malicious PDFs sent by email.

Within the installed malware, the query strings are encrypted.

Infects Windows (via rundll32)

Runs briefly after each boot

Has a mechanism for adding modules & updates

 

Includes commands for:

mv - Moves a file. Uses MoveFileA api.

cp - Copies a file. Uses CopyFileA api.

rm - Deletes a file. Uses DeleteFileA api.

pwd - Gets current dir. Uses GetCurrentDirectoryA api.

cd - Sets current dir. Uses SetCurrentDirectoryA api.

rmdir - Removes dir. Uses RemoveDirectoryA api.

mkdir - Creates a dir. Uses CreateDirectoryA api.

pskill - Kills process. Uses OpenProcess, TerminateProcess apis.

 

This is how the malware exfiltrates documents from target computers.

        • *

The Wilton Park and Ukraine's NATO Membership Action Plan Debates documents in >>358536 are .png captures of forged PDF documents that were used during the social engineering phase to intiially drop the malware on target systems.

        • *

So these PDF documents shed light on what kind of systems were targeted by MINI-DUKE. These topics would be of interest to governments and military.

Anonymous ID: ab6676 Feb. 12, 2018, 8:08 p.m. No.358974   🗄️.is 🔗kun

This post >>354528 suggests that of the original seven dwarves DoD supercomputers, another one was just taken out, or its control by /badguys/ disabled.

A couple of days ago anons believed that 3 of the 7 had been disabled. This posts suggests that a 4th has now been disabled.

3 remain, and they are in the kill box (targeted) for future action.

 

The graphic suggests that this is being done as a hack attack against them by a penetration testing firm.

I find this highly unlikely, but nothing can be ruled out.

Anonymous ID: ab6676 Feb. 12, 2018, 8:18 p.m. No.359057   🗄️.is 🔗kun

>>354659

I don't have the slightest idea what this image is about.

The woman's eyes are blackened.

She's wearing something like a nun's veil on her head.

The white bib-like contraption is badly soiled by drops of some unclean liquid but it doesn't look as dark as blood.

She has something like a black ribbon around her neck, the kind worn for ID badges at computer conferences.

The background, as usual, exhibits mirroring about 2 vertical axes.

 

With the Apache posts we are beginning to think of mirroring in the sense of database mirroring.

 

I expect DBs with national security importance would certainly be mirrored. Think high availability systems technology. There are multiple technologies that can do that at high speed, in near real time, at geographically distant sites. I can't venture a specific guess because it depends heavily on the particular system architecture.