dukes_whitepaper.pdf (2.1 MB)
Thanks for posting this report, @malware_kitten!
Key defensive takeaways:
The Dukes primarily use spear-phishing emails when
attempting to infect victims with their malware. These
spear-phishing emails range from ones purposely
designed to look like spam messages used to spread
common crimeware and addressed to large numbers of
people, to highly targeted emails addressed to only a few
recipients (or even just one person) and with content
that is highly relevant for the intended recipient(s).
We believe the Dukes purchased the exploit [CVE-2013-0640]. In all other cases, we believe the group simply repurposed publicly available exploits or proofs of concept.
This highlights the need for continual system patching, exploit mitigation via EMET, and advanced email filtering techniques, such as sandboxing.