Difference between revisions of "MiniDuke"
Jump to navigation
Jump to search
m (1 revision imported) |
|||
Line 6: | Line 6: | ||
* Kaspersky identified 59 unique victims in 23 countries (Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States) | * Kaspersky identified 59 unique victims in 23 countries (Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States) | ||
* Related to [[ItaDuke]] | * Related to [[ItaDuke]] | ||
| | |Alias=SandyEva, | ||
|Target=Unknown | |||
|UserAgent=Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; .NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2) | |UserAgent=Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; .NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2) | ||
|CCProtocol=Twitter | |CCProtocol=Twitter | ||
| | |MMPC=Win32/SandyEva, | ||
|Status=Unknown | |Status=Unknown | ||
|BeginYear=Unknown | |BeginYear=Unknown | ||
|EndYear=Unknown | |EndYear=Unknown | ||
|Group=Spying | |Group=Spying | ||
|Infrastructure=* Uses twitter predefined accounts for commands (to point at URLs for the C&Cs) | |||
* As an alternative to Twitter, can use Google Search, looking for the string: "lUFEfiHKljfLKWPR", "HkyeiIDKiroLaKYr", "lUFEfiHKDroLaKYr"... | |||
* An index.php on the found server delivers a GIF file with encrypted content embedded | |||
|CC2=HTTP | |||
|Victime4= | |Victime4= | ||
}} | }} |
Revision as of 10:24, 3 August 2015
(Botnet) Link to the old Wiki page : [1] / Google search: [2]
MiniDuke | |
---|---|
Alias | SandyEva |
Group | Spying |
Parent | |
Sibling | |
Family | |
Relations | Variants: Sibling of: |
Target | Unknown |
Origin | |
Distribution vector | |
UserAgent | Mozilla/4.0 (compatible; MSIE 7.0; windows NT 5.1; .NET CLR 2.0.50727; .NT CLR 2.0.4506.2151; .N&T CLR 3.5.30729; InfoPath.2) |
CCProtocol | Twitter (Centralized) |
Activity | Unknown / Unknown |
Status | Unknown |
Language | |
Programming language | |
Operation/Working group |
Introduction
- Infection by a crafted PDF file (CVE-2013-0640)
- 20 kB downloader (crafted each time specifically for the attacked systems), which calculates a unique fingerprint that is also used for encryption
- Receives encrypted backdoors obfuscated within GIF files
- Which then fetch a larger backdoor that carries out the actual spying activities
- Kaspersky identified 59 unique victims in 23 countries (Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States)
- Related to ItaDuke
Features
Associated images
Checksums / AV databases
- Microsoft MMPC: Win32/SandyEva