Miniduke: web based infection vector

Together with our partner CrySyS Lab, we’ve discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim’s PC.

While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.

The page hxxp://[c2_hostname]/groups/business-principles.html is used as an starting point for the attack. It consists of two frames, one for loading the decoy web page from a legitimate website (copied from http://www.albannagroup.com/business-principles.html), and another for performing malicious activities (hxxp://[c2_hostname]/groups/sidebar.html)

Source code of business-principles.html

Decoy webpage loaded

The second webpage, “sidebar.html” contains 88 lines, mostly JavaScript code, and works as a primitive exploit pack. Its code identifies the victim’s browser and then serves one of two exploits. It also sends collected browser data to another script by sending a POST request to “hxxp://[c2_hostname]/groups/count/write.php”.

Story added 11. March 2013, content source with full text you can find at link above.

Miniduke: web based infection vector

More antivirus and malware news?

Ads

Security news

Malware

Security

IT security

About site

Search Terms Tips

Recent New Tips

Recent Posts