Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7 Facts On Duqu Malware Attacks

Research into Duqu malware finds a component compiled in 2007, but identified successful attacks that occurred as recent as April 2011.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
New information continues to emerge about the Duqu malware that was designed to steal information relating to industrial control systems.

The latest analysis of the Duqu malware has found that one of the components used in the attack was compiled in 2007. But Duqu was used in a targeted attack as recently as April 2011, pointing to a possible four-year attack campaign by Duqu's authors, whose identities and affiliations remain unknown.

What is known, however, is that to date, Duqu infected organizations in at least eight countries--including Iran--in part by using a still-unpatched Windows zero-day vulnerability. Furthermore, as researchers continue to study Duqu variants, these findings have emerged:

1. Duqu was a boutique exploit.

To date, researchers have discovered "12 unique sets of Duqu files," said Alexander Gostev, chief security expert at Kaspersky Lab and author of a recent Duqu report. That's significant, since "for every victim, a separate set of attack files was created," he said via email.

2. Duqu relates to Stars.

According to a Duqu timeline assembled by Kaspersky Lab, Duqu appeared at the same time as the Stars virus hit Iran. "At that time Iranian specialists didn't share samples of the discovered virus with any of the antivirus companies, and this, it has to be said, was a serious mistake, which gave rise to all subsequent events in this saga," said Gostev. "Most probably, the Iranians found a keylogger module that had been loaded onto a system and which contained a photo of the NGC 6745 galaxy. This could explain the title 'Stars' given to it."

[ Security clearly can be improved. Read DARPA Seeks New Methods For Biometric Authentication. ]

3. Attackers covered their tracks.

Pointing to the difficulty of tracing attacks back to the actual people who launched them, Gostev said that the Duqu exploits, which used malicious .doc files attached to emails, "took place from anonymous mailboxes, probably via compromised computers." In the case of one particular attack, dubbed "variant F" by Kaspersky, attackers used a computer--again, likely compromised--in South Korea to send attack emails on April 17, 2011, followed by another attack four days later. The first attack ended up in a junk mail folder. "The second attack turned out successful: the addressee opened the attached .doc file that contained the vulnerability exploit and Trojan installer," said Gostev.

4. Exploit used Dexter font.

How did Duqu attack? For the Duqu-F variant at least, "the vulnerability exploit was contained in the font called 'Dexter Regular,' said Gostev. But that attack code was only a dropper or installer program, which then downloaded further attack code onto the targeted PC. "After penetration into a system the attackers installed extra modules and infected neighboring computers," he said.

5. Duqu used a ruse.

Interestingly, after infecting a PC, Duqu did nothing--at least initially--except residing in memory and staying put even if the .doc file was closed. "This period of inactivity lasted around 10 minutes, after which the exploit waited for the user's activity to stop--no keyboard or mouse activity. Only then did the dropper kick into action," said Gostev.

6. Attackers used disposable control servers.

Each Duqu variant had its own, separate control server, which provides further evidence that it was a highly targeted attack. Having a disposable infrastructure, furthermore, helped ensure that the discovery of one Duqu variant or attack wouldn't give away any of the others. Unlike Shady RAT's masterminds, the Duqu attackers also appear to have left the control servers active only for as long as they were required. Indeed, for a control server used to launch the Duqu-F attack, "we think that it is not functioning now and all critical information on it has already been deleted by the attackers," said Gostev. Kaspersky likewise found an identical data-wipe after researching another Duqu variant.

7. Duqu contained communication backups.

Duqu can connect not just to command-and-control (C&C) servers, but also function as a server itself. "There are two lists of C&C servers, one can contain domain names, IP addresses, or names of network shares, and the other contains IP addresses in binary format and is used to connect using Windows HTTP (winhttp) services," according to a report published by Kasperksy Lab expert Igor Soumenkov. "Although the configuration blocks we have found so far are similar and are set up to connect to its C&C using HTTP and HTTPS, the payload .dll [file] is able to connect to a network share and even become a server." In other words, while Duqu may have only attacked a handful of organizations, it was engineered to succeed.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...