The 2012 sample of MiniDuke is now fully analyzed and the results are in, revealing a surprisingly simple and effective way to target a spy e-threat while avoiding “collateral damage” and thus premature detection.
Bitdefender anti-malware researcher Marius Tivadar has the provided the details:The 2012 version of MiniDuke uses CVE-2011-2462 , a vulnerability which was being exploited in the wild as early as December 2011. The sample is, as mentioned, from 2012 05 14.
It comes packed with an invitation to a conference, in .pdf format. The conference was real, and started about a month after; the people whose signatures and contact data are contained in the invitation are real and they really can be contacted at the specified addresses and phone numbers. However, the invitation as a whole is a hoax, making use of very domain-specific language, but also of a photo lifted from a UN website, which has nothing to do with the conference or its eventual attendees.
The trick used to prevent unwitting third parties from opening the malicious .pdf and becoming infected themselves is really quite simple – the file is password-protected. Presumably, instructions to retrieve the password were contained in the e-mail. Without the proper password, the file is perfectly innocuous, in that it can be passed around from system to system with no danger of infection.
“There was much research and thought which went into creating this fake. Even just getting the contact details of the people involved can’t have been an easy task. As to how the attackers managed to convincingly impersonate or indeed compromise the purported senders’ e-mail server, we are not sure yet. We have contacted the affected organization though and are trying to track down an e-mail sample” explained Mr. Tivadar.