TR-14 - Analysis of a stage 3 Miniduke malware sample

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

In the scope of targeted attacks with a malware labeled as Miniduke by Kaspersky Labs, CIRCL was interested in the way the malware’s later stages work and what kind of interesting information they reveal (e.g. techniques, style, IOCs). No public analysis was found except the mention in Kaspersky’s report of a custom backdoor, so CIRCL took one of the known samples and started this analysis.

Report

Recommendation

  • CIRCL recommends private organizations or any potential targets to verify the Indicator of Compromise (IOCs) during the year 2012 contained in the report to detect any potential infection. CIRCL can be contacted in case of detection.

    • If you are checking for the A record of news.grouptumbler.com, as the current IP address (173.194.70.101) is going to Google IP ranges, you might have false positive. You have to refine your search with the previous address used 200.63.46.23 (news.grouptumbler.com) or checking the URL (news/feed.php) path pattern in your proxy logs to confirm the Miniduke infection.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 March 13, 2013 Initial version (TLP:AMBER)
  • Version 1.1 May 30, 2013 Public version (TLP:WHITE)
  • Version 1.2 July 3, 2014 Loader diagram added due to F-Secure report CosmicDuke: Cosmu With a Twist of MiniDuke