Security researchers at Kaspersky Lab and FireEye issued a report Thursday warning about a new attack campaign they are calling "ItaDuke." The threat has been detected in spearphishing attacks targeting activists in Uyghur in Central Asia and activists in Tibet. The campaign preceded a human rights conference in Geneva this week, according to Kaspersky Lab threat researchers Costin Raiu and Igor Soumenkov.
The PDF exploit, which was detected in a spate of Adobe PDF attacks in February, was repaired by the vendor in a security update issued Feb. 20. The first round of attacks, called MiniDuke by researchers, targeted government agencies in Europe. It was able to thwart security restrictions, including the sandbox technology in Adobe Reader X. While it may have originally been developed by a nation state, the Kaspersky researchers said it can be copied and reused by financially motivated cybercriminals and that may have been the case in the latest attacks.
[Related: SMBs Not Immune To Targeted Attacks ]
"This is becoming a common procedure nowadays and we can expect more such piggybacking or exploit-stealing in the future," the Kaspersky researchers said in their analysis of the threat. "It is extremely valuable to any attacker."
The spearphishing messages in the latest attacks use a malicious PDF. Once opened by the victim, the malware executes on the victim's machine using a stolen digital certificate. It drops a backdoor and once communication is made with a command and control server, a remote attacker can gain access to the victim's PC. Kaspersky researchers said some of the techniques built into the attack resemble the Tilded platform used in the Duqu and Stuxnet attacks.
The researchers also said the IP addresses point to a remote server located in China.
"The threat actors behind these attacks are very active and continuously use new methods and new exploits to attack their victims," the Kaspersky researchers said in their analysis of the threat.
Individuals and small and midsize businesses could be at risk of targeted attacks and should assess whether their work or activities would be of interest to cybercriminals, said security experts. AlienVault Labs researcher Jaime Blasco said in his analysis that the latest threat shows that multiple threat actors are using the same exploits.
PUBLISHED MARCH 14, 2013
related stories
Video
trending stories
sponsored resources

OutSystems
Modern Application Development 360

Symantec
Symantec Business Security Learning Center

HP Amplify™ - A Simplified Global Program for the Customer-Driven Digital Age
HP Inc.

Dell Technologies
Dell Technologies Cloud Learning Center

NPD
Industry Trends 360

EPOS
EPOS

Smart 3rd Party
3rd Party Maintenance 360

Products of the Year Showcase

Cysurance
Cyber Insurance 360

Dell Technologies
Dell Technologies Storage Learning Center

BlackBerry
BlackBerry Learning Center

Spectrum Partner Program
Spectrum Partner Program

ADT
Network Security 360

Dell Technologies
Dell Technologies Server Learning Center

WatchGuard
WatchGuard

APC by Schneider Electric
IoT Platforms 360

Tenable
Cyber Risk 360

StorageCraft
Disaster Recovery Learning Center

Wasabi
Wasabi

Webroot
Webroot Learning Center

HubStor
Cloud Backup 360

Carbonite
Cloud Storage 360

Comcast
Comcast Business Learning Center

Trend Micro
Managed Security 360

Dell Technologies
Dell Technologies Hybrid Cloud Learning Center
