MiniDuke Remote Access Trojan
MiniDuke, also known as CosmicDuke or TinyBaron, is a remote access trojan targeting users in Europe, North America and Asia. It was first seen in 2011 but has gone through multiple revisions since then, adding new capabilities and altering the infection vector.
Sophisticated PDF lure documents distributed in phishing campaigns are used to deliver MiniDuke. These documents contain exploits for two Adobe Reader vulnerabilities as well as a downloader for the main MiniDuke DLL module.
Once installed, MiniDuke will create a new task in the Windows Task Scheduler to spawn an instance of itself at start-up before connecting to a command and control server. Its primary function appears to be data exfiltration, collecting and transmitting files based on their extension and filename, however it is also able to install secondary malware and execute commands.
The following exploits have been used to trigger the infection:
CVE-2011-2462 – This vulnerability could cause the application to crash and potentially allow an attacker to take control of the affected system. Details here
CVE-2013-0640 – This vulnerability could cause the application to crash and potentially allow an attacker to take control of the affected system. Details here
Affected Platforms
- Microsoft Windows – All versions
Key Hosts To Block
arabooks.ch artas.org tsoftonline.com www.eamtm.com news.grouptumbler.com 200.63.46.23 194.38.160.153 95.128.72.24 72.34.47.186 188.40.99.143 85.95.236.114
Host’s To Block
* observe caution as some of these domains are genuine, it is best to use the above block list first.
| IP Address |
DOMAIN |
| 1[.]112[.]1[.]1 | airtravelabroad[.]com |
| 1[.]212[.]1[.]1 | albawaba[.]com |
| 101[.]64[.]234[.]86 | apnews[.]com |
| 101[.]98[.]11[.]146 | arabooks[.]ch |
| 103[.]16[.]152[.]10 | artas[.]org |
| 103[.]21[.]198[.]13 | beijingnewsblog[.]net |
| 103[.]226[.]132[.]7 | billmoyers[.]com |
| 103[.]23[.]136[.]10 | cderlearn[.]com |
| 103[.]244[.]164[.]3 | cognizant[.]com |
| 103[.]253[.]41[.]55 | computerworlduk[.]com |
| 103[.]254[.]108[.]7 | cybersecurity-review[.]com |
| 103[.]254[.]16[.]168 | data[.]cat |
| 103[.]38[.]193[.]6 | desmoinesregister[.]com |
| 103[.]38[.]43[.]207 | diplomacy[.]pl |
| 103[.]41[.]177[.]77 | directinvesting[.]com |
| 103[.]41[.]52[.]37 | eamtm[.]co |
| 103[.]41[.]52[.]39 | flickr[.]com |
| 103[.]8[.]24[.]66 | gog[.]com |
| 104[.]128[.]161[.]233 | goo[.]gl |
| 104[.]152[.]208[.]166 | grouptumbler[.]com |
| 104[.]207[.]130[.]126 | hackerstorm[.]co[.]uk |
| 104[.]233[.]108[.]157 | itwhitepapers[.]com |
| 104[.]236[.]58[.]27 | kasperskycontenthub[.]com |
| 104[.]237[.]152[.]195 | leveldelta[.]com |
| 104[.]36[.]83[.]204 | littjohnwilhap[.]ru |
| 104[.]93[.]114[.]201 | mail[.]ru |
| 106[.]187[.]37[.]101 | mame[.]dk |
| 106[.]187[.]99[.]148 | marketwire[.]com |
| 107[.]181[.]174[.]84 | miltonsecurity[.]com |
| 107[.]182[.]131[.]117 | mirea[.]ru |
| 108[.]166[.]168[.]158 | mspmentor[.]net |
| 108[.]28[.]164[.]248 | nasdaqblog[.]net |
| 108[.]61[.]123[.]73 | natureinhome[.]com |
| 108[.]61[.]152[.]252 | navy[.]mil |
| 108[.]61[.]166[.]139 | nestedmail[.]com |
| 108[.]61[.]187[.]24 | nostressjob[.]com |
| 108[.]61[.]228[.]153 | nytunion[.]com |
| 109[.]103[.]167[.]206 | oberhumer[.]com |
| 109[.]163[.]234[.]2 | oilnewsblog[.]com |
| 109[.]163[.]234[.]5 | one2shoppee[.]com |
| 109[.]163[.]234[.]8 | overpict[.]com |
| 109[.]173[.]113[.]248 | pfdregistry[.]net |
| 109[.]173[.]45[.]225 | recon[.]cx |
| 109[.]188[.]124[.]120 | reduct[.]ru |
| 109[.]188[.]124[.]135 | ritsoperrol[.]ru |
| 109[.]188[.]124[.]168 | sixsquare[.]net |
| 109[.]188[.]124[.]23 | switchup[.]tv |
| 109[.]188[.]124[.]25 | sxc[.]hu |
| 109[.]188[.]124[.]36 | symantec[.]cloud |
| 109[.]188[.]124[.]43 | talkincloud[.]com |
| 109[.]188[.]124[.]46 | time-server[.]org |
| 109[.]188[.]124[.]47 | time[.]day |
| 109[.]188[.]124[.]65 | timer[.]pl |
| 109[.]188[.]124[.]80 | toolinux[.]com |
| 109[.]188[.]125[.]12 | trainingindustry[.]com |
| 109[.]188[.]125[.]13 | tsoftonline[.]com |
| 109[.]188[.]125[.]19 | tumbler[.]com |
| 109[.]188[.]125[.]20 | us[.]gov |
| 109[.]188[.]125[.]3 | varanoid[.]com |
| 109[.]188[.]125[.]30 | virussign[.]com |
| 109[.]188[.]125[.]32 | washingtonmonthly[.]com |
| 109[.]188[.]125[.]33 | waterfilter[.]in[.]ua |
| 109[.]188[.]125[.]4 | wilcarobbe[.]com |
| 109[.]188[.]125[.]40 | |
| 109[.]188[.]125[.]5 | |
| 109[.]188[.]125[.]52 | |
| 109[.]188[.]125[.]60 | |
| 109[.]188[.]125[.]9 | |
| 109[.]188[.]126[.]11 | |
| 109[.]188[.]126[.]12 | |
| 109[.]188[.]126[.]13 | |
| 109[.]188[.]126[.]14 | |
| 109[.]188[.]126[.]15 | |
| 109[.]188[.]126[.]18 | |
| 109[.]188[.]126[.]181 | |
| 109[.]188[.]126[.]21 | |
| 109[.]188[.]126[.]30 | |
| 109[.]188[.]126[.]39 | |
| 109[.]188[.]126[.]43 | |
| 109[.]188[.]126[.]44 | |
| 109[.]188[.]126[.]57 | |
| 109[.]188[.]127[.]23 | |
| 109[.]188[.]127[.]27 | |
| 109[.]188[.]127[.]28 | |
| 109[.]188[.]127[.]34 | |
| 109[.]188[.]127[.]52 | |
| 109[.]188[.]127[.]60 | |
| 173[.]194[.]35[.]1 | |
| 173[.]194[.]70[.]101 | |
| 176[.]74[.]216[.]14 | |
| 178[.]170[.]164[.]84 | |
| 178[.]21[.]172[.]157 | |
| 188[.]116[.]32[.]164 | |
| 188[.]241[.]115[.]41 | |
| 195[.]43[.]94[.]104 | |
| 199[.]231[.]188[.]109 | |
| 200[.]63[.]46[.]23 | |
| 212[.]76[.]128[.]149 | |
| 85[.]95[.]236[.]114 | |
| 94[.]242[.]199[.]88 |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.