Installation
Backdoor:Win32/Miniduke.A is an executable dropped by PDF documents that exploit the vulnerability described in CVE-2013-0641. The PDF document may be detected as Exploit:Win32/CVE-2013-0641.
If Adobe Acrobat or Adobe Reader is exploited successfully, the backdoor is dropped in your computer as the file "%USERPROFILE%\Application Data\Local Settings\Temp\acrord32_sbx\d.t".
Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the User Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>" or "C:\Users\<user>". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>".
When run, Backdoor:Win32/Miniduke.A drops the following files:
- %USERPROFILE%\LocalSettings\Application Data\update.cmd - a batch script
- %USERPROFILE%\Local Settings\Application Data\<random characters>.tmp - a DLL file also detected as Backdoor:Win32/Miniduke.A
- %USERPROFILE%\Local Settings\Temporary Internet Files\eu_advisory.pdf - a clean PDF file
When run, the file "update.cmd" does the following:
- Closes Adobe Reader, including the one that was used to open the initial PDF exploit
- Opens the clean dropped PDF file "eu_advisory.pdf"
Backdoor:Win32/Miniduke.A is loaded every time Windows starts in the context of the process "rundll32.exe".
To do this, Backdoor:Win32/Miniduke.A creates a copy of itself as a hidden file named "%USERPROFILE%\Application Data\Windows Genuine Advantage\class.idx".
It also creates a shortcut in the Windows Startup folder named either "Soft", "Service", or "Event". The shortcut file points to the Windows process "rundll32.exe" with "class.idx" as a parameter.
Payload
Steals computer information
Backdoor:Win32/Miniduke.A computes a SHA-1 hash based on the following system information:
- Your computer name
- The serial number of your hard drive where Windows is installed
Checks for tools
Backdoor:Win32/Miniduke.A doesn't run its information-stealing payload if it encounters any of the following processes in your computer; these processes are related to debugging tools, monitoring tools and virtual machines:
- apimonitor.exe
- apispy32.exe
- cdb.exe
- commview.exe
- dumpcap.exe
- filemon.exe
- idag.exe
- idag64.exe
- immunityDebugger.exe
- iris.exe
- netsniffer.exe
- ollydbg.exe
- petools.exe
- procexp.exe
- procmon.exe
- regmon.exe
- syser.exe
- tcpdump.exe
- tcpview.exe
- vboxservice.exe
- vboxtray.exe
- vmtoolsd.exe
- vmwaretray.exe
- vmwareuser.exe
- winapioverride32.exe
- windbg.exe
- windump.exe
- winspy.exe
- wireshark.exe
Allows backdoor access and control
Backdoor:Win32/Miniduke.A reads tweets from specific Twitter accounts, without the user's knowledge. The tweets contain an encrypted URL pointing to a command and control (C&C) server. The backdoor then connects to the server once it has decrypted the address.
If the Twitter accounts are inaccessible, Backdoor:Win32/Miniduke.A searches using Google for the C&C servers.
Once connected to the server, the backdoor can perform any action as instructed by a remote attacker, including, but not limited to:
- Downloading other malware
- Running other malware
- Stealing information stored in your computer
Additional resources
Analysis by Horea Coroiu
