Duqu, a very complex and modular malware platform thought to have gone dark in late 2012, has made its appearance within the environment of Kaspersky Labs. Dubbed “Duqu 2.0” by Kaspersky, the level of complexity found within the malware represents a high level of sophistication, skill, funding and motivation seen by nation-sponsored actors. Infections related to this malware have revealed links to the P5 1 events and related discussions regarding Iran's nuclear talks.
While the initial attack vector is unknown, evidence such as wiped mailboxes and cleared browser history suggest spearphishing and the use of a zero-day exploit to gain a foothold on patient zero. Other Zero-day exploits were noted by Kaspersky such as CVE-2014-6324 and CVE-2015-2360, allowing the attacker to run code at the highest privilege level and aid in lateral movement.
Digging into the analysis reveals the authors made almost every attempt to either mislead analysis using layered encryption/compression functions or keywords pertaining to other known APT groups. In the wild, most malware uses generic encryption algorithms such as XOR, DES and AES or third party libraries. Duqu 2.0 on the other hand defines its own algorithms such as Camellia 256, AES, XXTEA, according to Kaspersky. In addition to using specific encryption and compression methods, the Duqu 2.0 platform utilizes “In-Memory” backdoors rather then using other persistence mechanisms. The attackers targeted servers with high uptime to ensure the foothold on the network would last. After installing backdoors, the attackers could deploy a number of pluggable modules. Some of the different modules capabilities have been outlined below:
- WMI Data collection
- Exfiltration and data encryption
- Able to search for specific files/folders
- Extensive system/user information collection
- File/directory manipulation
- Network and domain discovery
- MS SQL, Oracle DB and ADOdb discovery
- Sniffer (network reconnaissance)
- Document metadata extraction
- Emails, images, multimedia files, pdf, office and archives
Network communication is also unique. Duqu 2.0 can append encrypted data to .gif or .jpeg image formats. Unlike the 2011 version of Duqu, which implemented a single user agent string, Duqu 2.0 selects a random user agent string from a table of 53 possibilities. By using network drivers, traffic can also be proxied through the victims LAN.
In summary, actors such as the authors of Duqu 2.0 show that the state of nation-sponsored attacks is reaching new heights. With multiple zero-day exploits and in-memory techniques, Duqu 2.0 goes beyond the traditional aspects of commodity malware. We appreciate Kaspersky publishing its in-depth findings and offering a level of transparency rarely seen in most public reports.