Difference between revisions of "MiniDuke"
Jump to navigation
Jump to search
m (Text replacement - "=Unknown" to "=") |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 7: | Line 7: | ||
* Related to [[ItaDuke]] | * Related to [[ItaDuke]] | ||
|Alias=SandyEva, | |Alias=SandyEva, | ||
|Target= | |Target= | ||
|UserAgent=Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; .NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2) | |UserAgent=Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; .NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2) | ||
|CCProtocol=Twitter | |CCProtocol=Twitter | ||
| | |CVE=CVE-2013-0640, | ||
|Status= | |Status= | ||
|BeginYear= | |BeginYear=2013 | ||
|EndYear= | |EndYear= | ||
|Group=Spying | |Group=Spying | ||
|Infrastructure=* Uses twitter predefined accounts for commands (to point at URLs for the C&Cs) | |Infrastructure=* Uses twitter predefined accounts for commands (to point at URLs for the C&Cs) |
Latest revision as of 15:50, 8 August 2015
(Botnet) Link to the old Wiki page : [1] / Google search: [2]
MiniDuke | |
---|---|
Alias | SandyEva |
Group | Spying |
Parent | |
Sibling | |
Family | |
Relations | Variants: Sibling of: |
Target | |
Origin | |
Distribution vector | |
UserAgent | Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; .NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2) |
CCProtocol | Twitter (Centralized) |
Activity | 2013 / |
Status | |
Language | |
Programming language | |
Operation/Working group |
Introduction
- Infection by a crafted PDF file (CVE-2013-0640)
- 20 kB downloader (crafted each time specifically for the attacked systems), which calculates a unique fingerprint that is also used for encryption
- Receives encrypted backdoors obfuscated within GIF files
- Which then fetch a larger backdoor that carries out the actual spying activities
- Kaspersky identified 59 unique victims in 23 countries (Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States)
- Related to ItaDuke
Features
CVE: CVE-2013-0640