The MiniDuke of Ukraine


Roughly one year ago, the MiniDuke malware was discovered in a targeted campaign against European governments. This week, reports have emerged that the malware is being distributed yet again under the guise of PDF documents related to Ukraine – one of which was never released to the public.

MiniDuke Background

When it first emerged, MiniDuke was noted for what many called a bizarre and advanced approach to malware. MiniDuke was written in machine assembly language, allowing for an extremely small – and unsuspicious file size. At the same time, it connected to both Twitter and Google to receive instructions on where to download updated backdoors. Once connected to malicious CnCs, updates would then come in the form of steganographically encrypted image files, allowing for essentially surreptitious infection. Back when MiniDuke was discovered, it was thought to be the work of a seasoned professional; and, the fact that it specifically targeted governmental computers was alarming.

MiniDuke Infection

While MiniDuke’s technical details may indeed be quite advanced, initial infection hinges on a simple act of social engineering: getting the victim to open a spoofed PDF. The PDF may come in the form of an official looking governmental document sent via email, or in even more targeted scenarios it could be placed on a USB drive that somehow makes its way into the port of the target’s computer. In both cases, an attacker’s success depends on covert infiltration. MiniDuke must be installed without arousing any suspicion.

The MiniDuke of Ukraine is a Social Engineer

For malware authors, infecting a governmental employee’s PC is high risk-high reward behavior, and in most cases it is extremely targeted. Most governments practice extremely stringent security policies, and most governmental employees are trained to be suspicious of unsolicited emails or requests to “print” a document on their computer. But attackers do get through, and this of course brings us to MiniDuke’s latest incarnation.

The malware has caused concern because the spoofed PDFs find origin in Ukraine. Most of the documents were gleaned from publicly accessible sources, and made to look relevant to whomever they were sent; but one document in particular contains the signature of Ruslan Demchenko, First Deputy Minister for Foreign Affairs of Ukraine. This document was never made publicly accessible.

The implications of this latest MiniDuke campaign are thus twofold:

  1. Whoever receives the spoofed PDFs is much more likely to open to them, regardless of training, simply because the current crisis in Ukraine is on everyone’s mind.
  2. Whoever has created the spoofed PDFs may already have insider access to the Ukrainian government’s computer network.

Both of these implications speak to the nature of malware propagation in general, and both can provide insight to any computer user regardless of occupational status. Social engineering usually works best when it leverages current events or a subject the target is known to be involved in. And, when the stakes are high, insider connections are common. For personal users, this isn’t to say that friends betray friends with targeted malware; but, it does relate to the increasingly social nature of the web and does suggest that everyone should be wary of who they “let in” to their Internet social circle. Targeted attacks work because attackers with targets do their research, and minimizing the amount of personal information one puts on the web is therefore an essential step to identity theft prevention. For governmental employees bound by duty to be transparent, this may indeed be difficult; but for the rest of us, it can be as simple as anonymizing a Twitter account.

MiniDuke and Emsisoft

Fortunately, most Emsisoft users are not at risk of being infected by MiniDuke, simply because the malware is most often deployed in targeted attacks against governmental employees. Nevertheless, Emsisoft Anti-Malware does detect MiniDuke’s dropper and MiniDuke’s payload, simply because malware is malware — no matter who it targets or where it comes from.

So whether you’re governmental, civilian, or purely virtual, Have a Great (Malware-Free) Day!