MINIBIKE: When Cats Fly (Under the Radar)
MINIBIKE is a custom malware written in C++, used since at least June 2022. Once MINIBIKE is installed, it provides a full backdoor functionality, including directory and file enumeration, collection of system files and information, uploading files, and running additional processes.
The MINIBIKE platform usually consists of three utilities bundled in an archive, delivered via spear phishing:
The MINIBIKE backdoor, usually in the form of a .dll or a .dat file
A launcher, executed via search-order-hijacking (SoH), deploying MINIBIKE and setting its persistence using registry keys
A legitimate/fake executable, used to mask the malicious MINIBIKE deployment. Mandiant observed different MINIBIKE versions use three applications for this purpose: Microsoft SharePoint, Microsoft OneDrive, and a fake Hamas-related .NET application.
The MINIBIKE platform has been in use since at least June 2022, gradually being developed to several versions distinct from each other in lures, features, and functionality. While Mandiant did not observe any embedded version numbers, the MINIBIKE instances can be divided to the following versions.
Ver. |
Date |
Changes (Compared to Earlier Version) |
Geographies |
Example MD5 |
1.0 |
June 2022 |
- First version - C2 server geolocated in Iran (not Azure) - Submitted to a public malware repository from Iran - Legitimate SharePoint installation as a lure - Bundled in an IMG drive (“Screenshot.img”) - Export DLL name: “update.dll” |
Iran |
adef679c6aa6860a |
1.1 |
October–November 2022 |
- First use of Azure subdomains for C2 - Three embedded, only one used - First use of OneDrive installation as a lure and as a registry key for persistence - Export DLL name: “Mini.dll” |
UAE, Turkey |
409c2ac789015e76 |
2.0 |
August 2023 |
- Three to five Azure C2 domains used subsequently in a loop - Bundled in a ZIP file (“Survey.zip”) - Additional obfuscation - Additional functionality and commands - Export DLL name: “Mini-Junked.dll” |
Israel, UAE |
691d0143c0642ff7 |
2.1 |
August 2023 |
- Uses “Image Photo Viewer“ registry key for persistence - Additional obfuscation - Three Azure C2 domains |
Israel, India |
e3dc8810da71812b |
2.2 |
August–October 2023 |
- Four Azure C2 domains - Reverts back to OneDrive registry key for persistence - Additional functionality and commands - Additional obfuscation - Beacon communication looping over three “files”: index.html, favicon.ico, icon.svg - Export DLL name: “Micro.dll” |
Israel, UAE |
054c67236a86d9ab |