Kaspersky Lab and Hungary’s CrySys Lab have identified new malware, known as MiniDuke, which is used to attack multiple government entities and institutions worldwide.
Researchers at Kaspersky Lab said MiniDuke targeted government computers in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland along with two think tanks, research institutes and healthcare providers in the US.
According to researchers, the new malicious programme combines sophisticated old school malware writing skills with new advanced exploits in Adobe Reader to collect geopolitical intelligence from high profile targets.
"This is a very unusual cyberattack. I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s," said Kaspersky Lab founder and CEO, Eugene Kaspersky.
"I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld.
"These elite, "old school" malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries."
Kaspersky said MiniDuke’s highly customised backdoor was written in Assembler and is very small in size at 20kb.
"The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous," added Kaspersky.
Researchers said that MiniDuke attackers are still active and to compromise victims, the attackers use extremely effective social engineering techniques by sending malicious PDF documents to their targets.
According to researchers, the PDFs were highly relevant – with well-crafted content that fabricated human rights seminar information (ASEM) and Ukraine’s foreign policy along with NATO membership plans.
The malicious PDF files were then rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing its sandbox.
A toolkit was used to create these exploits and it appears to be the same toolkit that was used in the recent attack reported by FireEye, said researchers.