14 DAY TRIAL // Kaspersky and CrySyS Lab experts have uncovered two new infection mechanisms used by the recently identified MiniDuke malware.
The attacks start with an apparently harmless website that hosts a piece of malicious code, which works as a primitive exploit kit. This code checks what browser the victim is using, and based on the results, it serves one of the exploits.
If victims use Internet Explorer 8, they’re served a malicious .htm file. If they use any other browser that can run Java applets, JavaApplet.html is pushed.
The Java vulnerability exploited by MiniDuke is CVE-2013-0422, patched by Oracle in January. Around the same date, Microsoft addressed the Internet Explorer vulnerability leveraged in the attacks.
Despite the fact that both vulnerabilities had been fixed just before the attacks, it’s likely that they still worked against the targets because in most cases, it takes some time before security updates are applied.
Experts say that other infection vectors might also exist.