MiniDuke Remote Access Trojan

MiniDuke, also known as CosmicDuke or TinyBaron, is a remote access trojan targeting users in Europe, North America and Asia. It was first seen in 2011 but has gone through multiple revisions since then, adding new capabilities and altering the infection vector.

Sophisticated PDF lure documents distributed in phishing campaigns are used to deliver MiniDuke. These documents contain exploits for two Adobe Reader vulnerabilities as well as a downloader for the main MiniDuke DLL module.

Once installed, MiniDuke will create a new task in the Windows Task Scheduler to spawn an instance of itself at start-up before connecting to a command and control server. Its primary function appears to be data exfiltration, collecting and transmitting files based on their extension and filename, however it is also able to install secondary malware and execute commands.

The following exploits have been used to trigger the infection:

CVE-2011-2462 – This vulnerability could cause the application to crash and potentially allow an attacker to take control of the affected system.  Details here

CVE-2013-0640 – This vulnerability could cause the application to crash and potentially allow an attacker to take control of the affected system. Details here

Affected Platforms

  • ​​​​​​​Microsoft Windows – All versions

Key Hosts To Block

arabooks.ch
artas.org
tsoftonline.com
www.eamtm.com
news.grouptumbler.com
200.63.46.23
194.38.160.153
95.128.72.24
72.34.47.186
188.40.99.143
85.95.236.114

Host’s To Block

* observe caution as some of these domains are genuine, it is best to use the above block list first.

IP Address
DOMAIN
1[.]112[.]1[.]1 airtravelabroad[.]com
1[.]212[.]1[.]1 albawaba[.]com
101[.]64[.]234[.]86 apnews[.]com
101[.]98[.]11[.]146 arabooks[.]ch
103[.]16[.]152[.]10 artas[.]org
103[.]21[.]198[.]13 beijingnewsblog[.]net
103[.]226[.]132[.]7 billmoyers[.]com
103[.]23[.]136[.]10 cderlearn[.]com
103[.]244[.]164[.]3 cognizant[.]com
103[.]253[.]41[.]55 computerworlduk[.]com
103[.]254[.]108[.]7 cybersecurity-review[.]com
103[.]254[.]16[.]168 data[.]cat
103[.]38[.]193[.]6 desmoinesregister[.]com
103[.]38[.]43[.]207 diplomacy[.]pl
103[.]41[.]177[.]77 directinvesting[.]com
103[.]41[.]52[.]37 eamtm[.]co
103[.]41[.]52[.]39 flickr[.]com
103[.]8[.]24[.]66 gog[.]com
104[.]128[.]161[.]233 goo[.]gl
104[.]152[.]208[.]166 grouptumbler[.]com
104[.]207[.]130[.]126 hackerstorm[.]co[.]uk
104[.]233[.]108[.]157 itwhitepapers[.]com
104[.]236[.]58[.]27 kasperskycontenthub[.]com
104[.]237[.]152[.]195 leveldelta[.]com
104[.]36[.]83[.]204 littjohnwilhap[.]ru
104[.]93[.]114[.]201 mail[.]ru
106[.]187[.]37[.]101 mame[.]dk
106[.]187[.]99[.]148 marketwire[.]com
107[.]181[.]174[.]84 miltonsecurity[.]com
107[.]182[.]131[.]117 mirea[.]ru
108[.]166[.]168[.]158 mspmentor[.]net
108[.]28[.]164[.]248 nasdaqblog[.]net
108[.]61[.]123[.]73 natureinhome[.]com
108[.]61[.]152[.]252 navy[.]mil
108[.]61[.]166[.]139 nestedmail[.]com
108[.]61[.]187[.]24 nostressjob[.]com
108[.]61[.]228[.]153 nytunion[.]com
109[.]103[.]167[.]206 oberhumer[.]com
109[.]163[.]234[.]2 oilnewsblog[.]com
109[.]163[.]234[.]5 one2shoppee[.]com
109[.]163[.]234[.]8 overpict[.]com
109[.]173[.]113[.]248 pfdregistry[.]net
109[.]173[.]45[.]225 recon[.]cx
109[.]188[.]124[.]120 reduct[.]ru
109[.]188[.]124[.]135 ritsoperrol[.]ru
109[.]188[.]124[.]168 sixsquare[.]net
109[.]188[.]124[.]23 switchup[.]tv
109[.]188[.]124[.]25 sxc[.]hu
109[.]188[.]124[.]36 symantec[.]cloud
109[.]188[.]124[.]43 talkincloud[.]com
109[.]188[.]124[.]46 time-server[.]org
109[.]188[.]124[.]47 time[.]day
109[.]188[.]124[.]65 timer[.]pl
109[.]188[.]124[.]80 toolinux[.]com
109[.]188[.]125[.]12 trainingindustry[.]com
109[.]188[.]125[.]13 tsoftonline[.]com
109[.]188[.]125[.]19 tumbler[.]com
109[.]188[.]125[.]20 us[.]gov
109[.]188[.]125[.]3 varanoid[.]com
109[.]188[.]125[.]30 virussign[.]com
109[.]188[.]125[.]32 washingtonmonthly[.]com
109[.]188[.]125[.]33 waterfilter[.]in[.]ua
109[.]188[.]125[.]4 wilcarobbe[.]com
109[.]188[.]125[.]40
109[.]188[.]125[.]5
109[.]188[.]125[.]52
109[.]188[.]125[.]60
109[.]188[.]125[.]9
109[.]188[.]126[.]11
109[.]188[.]126[.]12
109[.]188[.]126[.]13
109[.]188[.]126[.]14
109[.]188[.]126[.]15
109[.]188[.]126[.]18
109[.]188[.]126[.]181
109[.]188[.]126[.]21
109[.]188[.]126[.]30
109[.]188[.]126[.]39
109[.]188[.]126[.]43
109[.]188[.]126[.]44
109[.]188[.]126[.]57
109[.]188[.]127[.]23
109[.]188[.]127[.]27
109[.]188[.]127[.]28
109[.]188[.]127[.]34
109[.]188[.]127[.]52
109[.]188[.]127[.]60
173[.]194[.]35[.]1
173[.]194[.]70[.]101
176[.]74[.]216[.]14
178[.]170[.]164[.]84
178[.]21[.]172[.]157
188[.]116[.]32[.]164
188[.]241[.]115[.]41
195[.]43[.]94[.]104
199[.]231[.]188[.]109
200[.]63[.]46[.]23
212[.]76[.]128[.]149
85[.]95[.]236[.]114
94[.]242[.]199[.]88




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: