It looks like this just isn’t Adobe’s week. A new virus, called MiniDuke, has been attacking government institutions all around Europe and the United States using a security exploit in the Adobe Reader program. The virus is sent around as a very credible looking PDF file. The file carries information about a human rights seminar (ASEM), Ukraine’s foreign policy, and NATO membership plans. But while the information might seem credible on the surface, it secretly uploads malware onto the computer and disguises itself from various anti-malware, anti-virus, and other cyber-security programs.
The MiniDuke virus has affected various Government institutes located in Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland, Hungary, and the United States. It uses exploits found in Adobe Reader 9, 10, and 11. The code for the MiniDuke’s customized back door was written in “Assembler”. It loads a downloader onto the system that’s only 20kb in size. During system boot, the downloader determines the computer’s unique fingerprint and uses it to encrypt itself from any antivirus program that can identify it.
MiniDuke then creates a Twitter account using its Command and Control (C2) system and creates tweets containing encrypted URLs in hashtags that lead to backdoors. These backdoors provide MiniDuke’s C2 access to the entire computer. It then loads malicious files, disguised as GIF images, onto the computer. This opens up an even bigger backdoor that allows MiniDuke’s C2 to copy files, delete files, make directories, kill processes, and even load more malware onto the computer.
The backdoors have been traced back to two servers located in Panama and Turkey. The latest attack happened on February 20th. Adobe had previously patched its Adobe Reader software, but it seems that MiniDuke was able to find a bypass to it. It was only yesterday when Adobe had to release an emergency update for its Adobe Flash Player because hackers were using it to attack Firefox users.