Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Duqu Remained Active After Operations Were Exposed in 2011

The discovery of Duqu 1.5 shows that the threat actor behind the malware did not go dark — as previously believed — after their operations were exposed by security researchers in 2011.

The discovery of Duqu 1.5 shows that the threat actor behind the malware did not go dark — as previously believed — after their operations were exposed by security researchers in 2011.

Following the initial public exposure of Duqu in 2011, the actor seemed to disappear from the threat landscape, only to emerge in 2015 more powerful and sophisticated than before.

With strong connection to the Stuxnet family due to code sharing and the use of a modular design, the Duqu malware was used to spy on companies across Europe, Africa, and the Middle East, as well as to compromise Certificate Authorities to ensure the effectiveness of further attacks.

Completely overhauled, the Duqu 2.0 malware platform that emerged in 2015 could operate almost entirely in-memory and in a semi-wormlike fashion across an enterprise network. The malware, which had over 100 modules, was used to spy on Kaspersky and other entities.

Researchers at Chronicle, a cybersecurity unit of Google’s parent company Alphabet, discovered that in the four-year gap between the two Duqu variants, a third version of the malware had been used. Referred to as Duqu 1.5, it managed to remain unnoticed for at least five years, it seems.

In a compromised environment, the researchers found a kernel driver that was digitally signed and appeared benign, but which was in fact providing persistence for a complex in-memory modular malware platform.

The platform included two types of encrypted Virtual File Systems (VFS), namely an in-memory orchestrator, along with multiple encrypted plugin modules.

Resembling Duqu 2.0, this transitional variant “appears over-engineered or bloated,” the security researchers say. It features “a maze of unpacking routines, encoded strings, and dynamically loaded API calls,” a structure superficially reminiscent of Regin, but featuring a distinct implementation of its features.

The experts couldn’t determine the delivery method for the kernel driver, but know that it begins the multistage infection process. Duqu 1.5 also employs shellcode loaders for the deployment of submodules.

The in-memory orchestrator, KMART.dll, which handles the deployment and interaction between the various modules, was also designed to bypass Kaspersky Antivirus using a method inherited by Duqu 2.0. KMART deploys plugins in a staged rollout process, from an on-disk RC4-encrypted VFS.

Duqu 1.5 contains fewer modules compared to Duqu 2.0 and only a few of them have been recovered, the researchers say. The malware platform, however, does employ a version of the Pipe Backdoor plugin.

For lateral movement, Duqu 1.5 leverages Windows Installer Packages (MSI) generated on-the-fly, but the researchers haven’t determined yet whether the spreader module uses the same method as Duqu 2.0 for deploying the payload to remote systems.

Both HTTP and HTTPS requests were used for communication with the command and control (C&C) servers, likely in an attempt to blend with normal traffic. The researchers were able to identify a single C&C server and IP address associated with the malware.

Chronicle’s researchers discovered a close connection between the Duqu, Stuxnet, Equation and Flame threat actors, and refer to the cluster as the GossipGirl Supra Threat Actor (STA). During their analysis, they uncovered a new component, named Stuxshop, that suggests a fourth team tracked as Flowershop was involved in the early development of Stuxnet. They also uncovered Flame 2.0.

GossipGirl Supra Threat Actor (STA)

“Duqu is the first example of an apex threat actor that burned down its operations entirely, disappeared for 2-3 years, and was caught having returned. This offers a remarkable opportunity for researchers to understand the meta-trends in toolkit development following public scrutiny. The iterative redesign of from Duqu 1.0 to 1.5 and finally 2.0 is an incremental effort towards a unique-per-target style platform,” Chronicle concludes.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...