Miniduke Attacks are Back in Force, Says Kaspersky Lab
In a recently issued press release, Kaspersky Lab researchers said that Miniduke implants from 2013 are still being used by hackers
According to Kaspersky Lab, old style Miniduke implants from 2013 once again resumed attacks in full force in early 2014. This time, however, according to the security agency, it seems that attackers have changed their behavior.
They’re now using another custom backdoor consisting of a malware that spoofs popular applications which are designed to run in the background, such file information, icons and even file size.
Here are some more details about it from the press release:
“The main “new” Miniduke backdoor (aka TinyBaron or CosmicDuke) is compiled using a customisable framework called BotGenStudio, which has flexibility to enable or disable components when the bot is constructed. The malware is able to steal a variety of information.”
“The backdoor also has many other capabilities including: keylogger, general network information harvester, screen grabber, clipboard grabber; Microsoft Outlook, Windows Address Book stealer, password stealer for Skype, Google Chrome, Google Talk, Opera, TheBat!, Firefox, Thunderbird, Protected Storage secrets harvester, Certificate/private keys exporter, etc.”
Vitaly Kamluk, Principal Security Researcher at the Global Research & Analysis Team, Kaspersky Lab, said the following:
“It’s a bit unexpected – normally, when we hear about APTs, we tend to think they are nation-state backed cyber espionage campaigns. But we see two explanations for this. One possibility is that malware platform BotGenStudio used in Miniduke is also available as a so-called “legal spyware” tool, similar to others, such as HackingTeam’s RCS, widely used by law enforcement.”
Another possibility is that it’s simply available in the underground and purchased by various competitors in the pharma business to spy on each other”
So, our advice is to make sure that you’re running a legit antivirus version on your system and that everything is updated, in order to avoid unwanted events.