The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor (or ‘how many cool words can you fit into one title’)

On Feb 12th 2013, FireEye announced the discovery (http://blog.fireeye.com/research/2013/02/the-number-of-the-beast.html) of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware “ItaDuke” because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Aligheri’s Divine Comedy.

Since the original announcement, we have observed several new incidents using the same exploit (CVE-2013-0640), some of which were so unusual that we decided to analyze them in depth.

Together with our partner CrySyS Lab, we’ve performed a detailed analysis of these new incidents which indicate a new, previously unknown threat actor. For their analysis, please read http://blog.crysys.hu/2013/02/miniduke/ . For our analysis, please read below.

First of all, while the fake “Mandiant” PDF reports (see http://blog.seculert.com/2013/02/spear-phishing-with-mandiant-apt-report.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SeculertResearchLab+(Seculert+Research+Lab)) are just dirty hacks of the original exploit, these newer attacks appear to have been created by a 0-day toolkit that was used to build the original “Visaform Tukey.pdf” discovered by FireEye.

Authors: Costin Raiu, Igor Soumenkov, Kurt Baumgartner, Vitaly Kamluk

Source and full report:
http://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf 

0 yorum: