Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Duqu Remained Active After Operations Were Exposed in 2011

The discovery of Duqu 1.5 shows that the threat actor behind the malware did not go dark — as previously believed — after their operations were exposed by security researchers in 2011.

The discovery of Duqu 1.5 shows that the threat actor behind the malware did not go dark — as previously believed — after their operations were exposed by security researchers in 2011.

Following the initial public exposure of Duqu in 2011, the actor seemed to disappear from the threat landscape, only to emerge in 2015 more powerful and sophisticated than before.

With strong connection to the Stuxnet family due to code sharing and the use of a modular design, the Duqu malware was used to spy on companies across Europe, Africa, and the Middle East, as well as to compromise Certificate Authorities to ensure the effectiveness of further attacks.

Completely overhauled, the Duqu 2.0 malware platform that emerged in 2015 could operate almost entirely in-memory and in a semi-wormlike fashion across an enterprise network. The malware, which had over 100 modules, was used to spy on Kaspersky and other entities.

Researchers at Chronicle, a cybersecurity unit of Google’s parent company Alphabet, discovered that in the four-year gap between the two Duqu variants, a third version of the malware had been used. Referred to as Duqu 1.5, it managed to remain unnoticed for at least five years, it seems.

In a compromised environment, the researchers found a kernel driver that was digitally signed and appeared benign, but which was in fact providing persistence for a complex in-memory modular malware platform.

The platform included two types of encrypted Virtual File Systems (VFS), namely an in-memory orchestrator, along with multiple encrypted plugin modules.

Resembling Duqu 2.0, this transitional variant “appears over-engineered or bloated,” the security researchers say. It features “a maze of unpacking routines, encoded strings, and dynamically loaded API calls,” a structure superficially reminiscent of Regin, but featuring a distinct implementation of its features.

Advertisement. Scroll to continue reading.

The experts couldn’t determine the delivery method for the kernel driver, but know that it begins the multistage infection process. Duqu 1.5 also employs shellcode loaders for the deployment of submodules.

The in-memory orchestrator, KMART.dll, which handles the deployment and interaction between the various modules, was also designed to bypass Kaspersky Antivirus using a method inherited by Duqu 2.0. KMART deploys plugins in a staged rollout process, from an on-disk RC4-encrypted VFS.

Duqu 1.5 contains fewer modules compared to Duqu 2.0 and only a few of them have been recovered, the researchers say. The malware platform, however, does employ a version of the Pipe Backdoor plugin.

For lateral movement, Duqu 1.5 leverages Windows Installer Packages (MSI) generated on-the-fly, but the researchers haven’t determined yet whether the spreader module uses the same method as Duqu 2.0 for deploying the payload to remote systems.

Both HTTP and HTTPS requests were used for communication with the command and control (C&C) servers, likely in an attempt to blend with normal traffic. The researchers were able to identify a single C&C server and IP address associated with the malware.

Chronicle’s researchers discovered a close connection between the Duqu, Stuxnet, Equation and Flame threat actors, and refer to the cluster as the GossipGirl Supra Threat Actor (STA). During their analysis, they uncovered a new component, named Stuxshop, that suggests a fourth team tracked as Flowershop was involved in the early development of Stuxnet. They also uncovered Flame 2.0.

GossipGirl Supra Threat Actor (STA)

“Duqu is the first example of an apex threat actor that burned down its operations entirely, disappeared for 2-3 years, and was caught having returned. This offers a remarkable opportunity for researchers to understand the meta-trends in toolkit development following public scrutiny. The iterative redesign of from Duqu 1.0 to 1.5 and finally 2.0 is an incremental effort towards a unique-per-target style platform,” Chronicle concludes.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.