Kapersky Labs captured this latest specimen of malware in the wild, and it's named not for a diminutive version of John Wayne, but because it reminded researchers of the Duqu worm.
MiniDuke has been at work attacking governments around the world, including Ireland, Romania, Portugal, Belgium, and the Czech Republic, as well as "the computers of a prominent research foundation in Hungary, two thinktanks, and an unnamed healthcare provider in the US." Around 60 unique targets have been identified -- so far.
The attacks have been based on advanced social engineering techniques, convincing recipients to open infected Adobe PDF files. Rather than the usual nonsense, the actual content of the files was apparently relevant and well targeted. The malware packet delivered to each system is unique and programmed to avoid detection.
Amazingly, the malware receives commands by searching for, and responding to, Twitter accounts launched by the attackers.
Analysts have been impressed by the sophistication of the attack, but that doesn't mean it's anything new. Eugene Kaspersky himself described MiniDuke as "old school malware," and he speculated that this signals the re-emergence of "elite" malware writers who have been relatively inactive for the last few years.
Josh Halliday echoed this in the Guardian, describing the MiniDuke exploit as "a complex online assault seen rarely since the turn of the millennium." What's more, the attacks are very much under way, with MiniDuke malware having been created as recently as a week ago.
This leaves us with the usual questions. We know how, but who, why, and what do we do about it? And does it present a risk to enterprises? As for what to do about it, Kaspersky Labs' detailed report will be of interest to security professionals. The issue of risk to enterprises rather depends on how the other questions are answered.
In principle, it would seem that enterprise networks are highly vulnerable to this kind of attack. It also seems -- again, so far -- that the attackers don't have commercial targets in mind. If it's a case of espionage, the targets are diverse, and some could be no more than screens (if this were a Russian exploit, for example, targeting the Russian Federation, as MiniDuke did, might be a good idea). China seems to be absent from the victims list, so maybe it should get the blame, as usual.
There have been reports that the malware connects to servers in Turkey and Panama, and it's surely possible that investigation of the Twitter accounts could produce some clues. Right now, we're in the bunker again, as usual, understanding that a technique for stealing political secrets could be used to steal enterprise secrets, too.
— Kim Davis , Community Editor, Internet Evolution