Miniduke: web based infection vector

Together with our partner CrySyS Lab, we’ve discovered two new, previously-unknown infection mechanisms for Miniduke. These new infection vectors rely on Java and IE vulnerabilities to infect the victim’s PC.

While inspecting one of the C&C servers of Miniduke, we have found files that were not related to the C&C code, but seemed to be prepared for infecting visitors using web-based vulnerabilities.

The page hxxp://[c2_hostname]/groups/business-principles.html is used as an starting point for the attack. It consists of two frames, one for loading the decoy web page from a legitimate website (copied from, and another for performing malicious activities (hxxp://[c2_hostname]/groups/sidebar.html)

Source code of business-principles.html

Decoy webpage loaded

The second webpage, “sidebar.html” contains 88 lines, mostly JavaScript code, and works as a primitive exploit pack. Its code identifies the victim’s browser and then serves one of two exploits. It also sends collected browser data to another script by sending a POST request to “hxxp://[c2_hostname]/groups/count/write.php”.

Read more: Miniduke: web based infection vector

Story added 11. March 2013, content source with full text you can find at link above.