MiniDuke: Multi Component info-stealer spreads via Social Engineering

By

MiniDuke: Multi Component info-stealer spreads via Social Engineering

The Dell Sonicwall Threats Research team observed reports of a new multi component bot family named Mini Duke actively spreading in the wild.

These variations have been seen as far back as July 2012 and continue to operate as of September 2014.

Mini Duke steals various data from the infected computer and sends out to a Command & Control server. The stolen data include passwords stored by various Web browsers, Email clients, Instant Messengers, and other applications. The malware also performs key logging, takes screen shots, and steals clipboard data. It may create a scheduled task and a service in order to get started after system reboots.

Infection Cycle:

The Trojan uses the following icons:

Md5: dc6cc442c0900104a5601a6049354fad

The Trojan adds the following file to the file system:

C:Program FilesCommon FilesMicrosoft Sharedynqyyv.exe [Detected as W32/Miniduke .A]

C:WINDOWSsystem32usbnet.exe and %Userprofile%Application DataAdobesyscmvk.exe

%Userprofile% Local SettingsTempynqyyv.dll and C:Program FilesCommon FilesMicrosoft Sharedynqyyv.dll [DLL Module ]

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

%Userprofile% Local SettingsTemp ynqyyvreg.reg [Create a Startup Service)

The malware infections starts by Social Engineering victims into opening either a Windows executable file with a fake name making it look like a document/image file, or a PDF file that contains an exploit. Here is an Example of Fake Doc File.

Once the victim opens the file, the malware starts information gathering. The data collection components found in the malware include a keylogger, clipboard stealer, screen Shot, and password stealers for a variety of popular chat, email and web browsing programs. Once the information has been collected, it is sent out to remote servers using FTP.

Rundll32.exe injected by miniduke to copy all its own components on the target system.

The Malware Create two processes usbsrv.exe and syscmvk.exe in C:WINDOWSsystem32usbsrv.exe and %Userprofile%Application DataAdobesyscmvk.exe

All these processes has Copyright(C) NVIDIA Corporation. All rights reserved fake file properties.

The usbsrv.exe registered as Watchmon Service job in Task Scheduler Service and in following key to the Windows registry HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

The syscmvk.exe tries to run these commands on command shell

KeyLogger and Info Stealer

Mini Duke has the Key logger function, it uses GetKeyState and GetKeyboardState to capture the pressed keys on target system Key logging is skipped if one of the following Anti-Virus process is running on infected system:

Here is an Example for Key logger and clipboard data

Mini duke searches the hard drives and network drives for files that match any of the below patterns:

And also it will ignore if patterns files be such as following list:

  • *.exe;
  • *.ndb;
  • *.mp3;

Info Stealer Component:
The malware has the capability to targets the following software:

For example Mini Duke steals Skype login MD5 and then attacker can obtain victims Skype username and password by using a brute-force the MD5 or for other instant messengers could decrypts the hash Algorithms.

It has been observed that the malware had other stealing functionalities that targeted applications such as Chrome, Firefox and Internet Explorer, amongst other things also retrieve / Grabbing List of web logins such as following list:

The malware is to attempt create a file in C:Documents and SettingsAll UsersDocuments folder that follows this format:

ntuser{4CB43D7F-7EEE-4906-8698-<8 Hexadecimal numbers>.pol

Here is an Example of Encrypted data

HTTP POST to Command and Control (C&C)

Mini Duke has the C&C communication over HTTP. Uses HTTP POST requests to one or more statically defined URLs are made on a regular basis. These POST requests such as the following fields in this order:

  • m or mgn
  • Auth
  • Session
  • DataID
  • FamilyID
  • BranchID
  • VolumeID
  • User
  • Query

The first field does not have any value and Auth is the sample ID, this is same 8-character hex digit that can be found in the PDB path such as c:botgenstudiogenerations8f1777b0binBot.pdb

The value of Query depends on the request. The string which is Base64 encoded/RC4 encrypted, the string is composed of a 256-character string that is repeated seven times.

Rundll32.exe injected by Malware and its transfer Malware traffic to C&C Servers.

The C&C Servers are listed but not limited here also mini duke uses FTP server for File Transfer via following IPs & User name

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: MiniDuke.A (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.