The Duqu attackers, who are considered by researchers to be at the top of the food chain of APT groups and are responsible for attacking certificate authorities and perhaps spying on Iran’s nuclear program, have resurfaced with a new platform that was used to compromise high-profile victims, including some related to the Iran nuclear talks last fall.
The new spate of attacks was discovered by researchers at Kaspersky Lab after they uncovered evidence that some of the company’s own systems had been compromised by the platform, which is being called Duqu 2.0. Kaspersky’s investigation into the incident showed that the Duqu attackers had access to a small number of systems and were especially interested in the company’s research into APT groups, its anti-APT technology, and some Kaspersky products, including the Secure Operating System and Kaspersky Security Network. Kaspersky officials said that although the initial infection vector isn’t known, the attackers used as many as three Windows zero-day in the course of the operation.
The company said it is confident that its technologies and products have not been affected by the incident.
Kaspersky researchers discovered the attack earlier this spring and quickly noticed some similarities to the original Duqu attacks from 2011. The malware in the newer attacks appears to be an updated version of the original Duqu platform, and there are some similarities in the command and control infrastructure, as well. But the newer malware is much more highly evolved than the first Duqu samples, researchers said, and it is more advanced than some of the techniques used by the infamous Equation Group revealed earlier this year. That team is thought to be perhaps the most-skilled APT group operating right now and has been refining its techniques for nearly 20 years.
The key difference with the Duqu 2.0 attacks is that the malware platform that team uses has modules that reside almost entirely in memory.
“The Equation Group always used some form of ‘persistence, accepting a bigger risk of being discovered. The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in the memory of infected systems, without need for persistence – it means the attackers are sure there is always a way for them to maintain an infection – even if the victim’s machine is rebooted and the malware disappears from the memory,” Kaspersky’s researchers said.
“That approach is much more sophisticated. It also demonstrates a different mentality: the Duqu 2.0 threat actor was confident enough to create and manage an entire cyber-espionage operation just in memory – one that could survive within an entire network of compromised computers without relying on any persistence mechanism at all.”
Among the other victims of the Duqu 2.0 attacks—which number close to 100–are systems connected to the P5+1 talks that occurred in the autumn of 2014 with Iran regarding that country’s nuclear program.
“Most of the final targets appear to be similar to their 2011 goals – which is to spy on Iran’s nuclear program. Some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau,” a technical analysis by Kaspersky’s researchers said.
Researchers believe that the Duqu 2.0 attacks are the work of a nation-state and say that the ties between the new malware and the older Duqu platform are strong. There are a number of similarities in the code of the two platforms and they share a similar C&C methodology. Once the Duqu 2.0 malware is on a new machine, it employs an exploit for a Windows vulnerability that was a zero day at the time of the attacks.
“In the case of Duqu 2.0, the lateral movement technique appears to have taken advantage of another zero-day, (CVE-2014-6324) which was patched in November 2014 with MS14-064. This exploit allows an unprivileged domain user to elevate credentials to a domain administrator account. Although we couldn’t retrieve a copy of this exploit, the logged events match the Microsoft detection guidance for this attack. Malicious modules were also observed performing a ‘pass the hash’ attack inside the local network, effectively giving the attackers many different ways to do lateral movement,” the Kaspersky report says.
“Once the attackers gained domain administrator privileges, they can use these permissions to infect other computers in the domain.”
There are two separate packages that the attackers use on infected machines, a small in-memory backdoor, and a larger espionage platform with C&C capabilities and a long list of features. The malware has the ability to remain undetected for long periods of time thanks to its lack of a typical persistence mechanism, and if the machines that carry the malware reboot, killing the Duqu 2.0 platform, the attackers have an answer for that, as well.
“To get around this problem, the attackers have another solution – they deploy drivers to a small number of computers, with direct Internet connectivity. These drivers can tunnel traffic from the outside into the network, allowing the attackers to access remote desktop sessions or to connect to servers inside the domain by using previously acquired credentials. Using these credentials, they can re-deploy the entire platform following a massive power loss,” the Kaspersky analysis says.
The goal of the attackers in all cases was to gain access to intellectual property and sensitive information. Kaspersky officials said none of its customer data was threatened by the compromise. All in all, the Duqu 2.0 team looks to be among the more powerful and skilled groups operating right now.
“Developing and operating such a professional malware campaign is extremely expensive and requires resources beyond those of everyday cybercriminals. What is really remarkable here is that the entire malware platform relies heavily on zero-days. If there is no zero-day to jump into kernel mode, the malware won’t work,” the Kaspersky analysis says.
“That could mean that the attackers were pretty confident that should one vulnerability be patched they’d implement another. Otherwise they wouldn’t have built a platform dependent entirely on zero-days.”
The last of the zero days used by the Duqu 2.0 attackers was patched by Microsoft on Tuesday. The vulnerability, CVE-2015-2360, was an elevation-of-privilege bug in the Windows kernel-mode drivers.
Kaspersky officials said they decided to disclose the attack on the company because it has a policy of reporting all such attacks, regardless of where they occur.
“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted. The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin,” said Eugene Kaspersky, CEO of Kaspersky Lab.