Unidentified attackers have infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden and Twitter and Google to ensure it always has a way to receive updates.

MiniDuke, as researchers from Kaspersky Lab and Hungary-based CrySyS Lab have dubbed the threat, bears the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-Zine by the same name. Because MiniDuke is written in assembly language, most of its computer files are tiny. Its use of multiple levels of encryption and clever coding tricks makes the malware hard to detect and reverse engineer. It also employs a method known as steganography, in which updates received from control servers are stashed inside image files.

In another testament to the skill of the attackers, MiniDuke has taken hold of government agencies, think tanks, a US-based healthcare provider, and other high-profile organizations using the first known exploit to pierce the security sandbox in Adobe Systems' Reader application. Adding intrigue to this, the MiniDuke exploit code contained references to Dante Alighieri's Divine Comedy and also alluded to 666, the Mark of the Beast discussed in a verse from the Book of Revelation.

"When we started looking at the backdoors themselves, we said, 'Now this is very interesting' because it's certainly professionally done and it takes us back to a golden age of the incredibly complex viruses and coding techniques that were used when 29A was around," Kaspersky Lab expert Kurt Baumgartner told Ars. "29A was the elite of the elite when it came to virus writing. Everybody hoped that their stuff never got out, because they were writing metamorphic, viral engines. They advanced viral code that they maintained in their magazine."

Three’s company

MiniDuke is a three-stage attack that drops its first payload after tricking a victim into opening an authentic-looking PDF document referring to highly relevant topics including human rights, Ukraine's foreign policy, and NATO membership plans. Infected machines then use Twitter or Google to retrieve encrypted instructions showing them where to report for additional backdoors. Stages two and three are stashed inside a GIF image file downloaded from the command server. Neither Kaspersky nor CrySyS is saying publicly what the malware does once it takes hold of a victim until they have had a chance to privately warn infected organizations.

"What we know is that some threat actor systematically attacked governmental organizations, and here we are not speaking about libraries, but highest-ranked organizations with malware in many NATO states," Boldizsar Bencsath, a researcher with CrySyS, wrote in an e-mail to Ars. "As well, they attacked human rights organizations, which is also a clear attack on democracy. In this situation the appropriate response should be organized and agile."

He said he's aware of at least 60 victims. Kaspersky has identified at least 23 affected countries, including the US, Hungary, Ukraine, Belgium, Portugal, Romania, the Czech Republic, Brazil, Germany, Israel, Japan, Russia, Spain, the UK, and Ireland.

Kaspersky's report on MiniDuke is here. The CrySyS analysis is here, and the lab has published a separate document that shows experienced researchers how to detect the malware on infected machines.

MiniDuke's minimalistic approach, multiple levels of encryption, selection of victims, and use of compromised servers as command channels reminds Kaspersky researchers of both the Duqu and the more recently discovered Red October espionage platforms. But the exploit code's literary and biblical references and allusions to hellish stories and situations are highly unusual for espionage malware of this caliber and success.

Although the Stuxnet virus contained what some researchers believe may be references to the Jewish Purim queen and the date an Iranian Jewish businessman was executed by firing squad in Tehran, the imagery in the MiniDuke exploit is altogether different. The Adobe exploit, which was first discovered by security firm FireEye, was also used in an attack Kaspersky researchers believe is unrelated to MiniDuke.

"There's images of hell and there's some numeric stuff littered in the zero-day that we would see back in the days of old-school virus writers that you don't see anymore," Baumgartner said. Because the initial attack that installs MiniDuke may have been spawned from an exploit tool, it's not entirely clear who is responsible for the biblical and literary references.

Then there's the multilayered technical agility of the malware, including its ability to dynamically scan all functions from memory instead of importing them.

"The uses of encryption here along with taking these old assembler techniques and pushing them into a malware package that incorporates a highly resilient infrastructure implementing communications with high-availability services like Twitter and Google is just weird," Baumgartner said. "We're calling a backdoor DLL with no imports weird, which it is. It takes an old-school virus writer to come up with something like that."

Listing image by 12th St David (back and catching up)