‘Skilled’ New Duqu APT Launches

Wednesday, June 10, 2015 @ 10:06 AM gHale

Duqu 2.0 appears to be back and continuing where it left off with intellectual property theft, but no additional indicators of malicious activity, said researchers at Kaspersky Lab. Their analysis found the top goal of the attackers was to spy on technologies, ongoing research and internal processes, with no interference with processes or systems.

Kaspersky detected this latest version in the spring when they found the advanced persistent threat (APT) on their systems.

Duqu Still at Work
Attacker ‘Hides in Plain Sight’
Oil Industry Under Attack
Warding Off EU’s Sophisticated Attacks
Stealth Malware Turns Servers into Spambots

Following this finding the company launched an intensive investigation, which led to the discovery of the latest version of Duqu.

Kaspersky Lab believes the attackers were confident that it was impossible to discover the cyberattack. The attack included some unique and unseen features and almost didn’t leave traces. The attack exploited Zero Day vulnerabilities and after elevating privileges to domain administrator, the malware spread in the network through MSI (Microsoft Software Installer) files commonly used by system administrators to deploy software on remote Windows computers. The cyberattack didn’t leave behind any disk files or change system settings, making detection extremely difficult. The philosophy and way of thinking of the “Duqu 2.0” group is a generation ahead of anything seen in the APT world, Kaspersky researchers said.

“The people behind Duqu are one of the most skilled and powerful APT groups and they did everything possible to try to stay under the radar,” said Costin Raiu, director of Kaspersky Lab’s Global Research & Analysis Team. “This highly sophisticated attack used up to three Zero Day exploits, which is very impressive – the costs must have been very high. To stay hidden, the malware resides only in kernel memory, so anti-malware solutions might have problems detecting it. It also doesn’t directly connect to a command-and-control server to receive instructions. Instead, the attackers infect network gateways and firewalls by installing malicious drivers that proxy all traffic from the internal network to the attackers’ command and control servers.”

Kaspersky Lab researchers discovered the company wasn’t the only target of this powerful threat actor. Other victims were in Western countries, as well as in countries in the Middle East and Asia. Most notably, some of the new 2014-2015 infections link to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal. The Duqu team appears to have launched attacks at the venues where the high level talks took place. In addition to the P5+1 events, the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. Similar to the P5+1 events, there were quite a few foreign dignitaries and politicians in attendance.

Upon discovery, Kaspersky Lab performed an initial security audit and analysis of the attack. The audit included source code verification and checking of the corporate infrastructure. The comprehensive audit is still ongoing and will be ready in a two-week timeframe. Besides intellectual property theft, no additional indicators of malicious activity ended up detected. The analysis revealed the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. There was no interference with processes or systems.

“Security software is the last frontier of protection for businesses and customers in the modern world, where hardware and network equipment can be compromised,” said Eugene Kaspersky, chief executive of Kaspersky Lab. “Moreover, sooner or later technologies implemented in similar targeted attacks will be examined and utilized by terrorists and professional cybercriminals. And that is an extremely serious and possible scenario.”

Kaspersky Lab said there is no impact on the company’s products, technologies and services.

Earlier in 2015, during a test, a prototype of an anti-APT solution developed by Kaspersky Lab showed signs of a complex targeted attack on its corporate network. After they discovered the attack an internal investigation launched. A team of the company’s researchers, reverse engineers and malware analysts worked around the clock to analyze this exceptional attack. The company is releasing all the technical details about Duqu 2.0 via Securelist.

The following are some preliminary conclusions:
• The attack ended up carefully planned and carried out by the same group behind the 2011 Duqu APT attack. Kaspersky Lab believes this is a nation-state sponsored campaign.
• Kaspersky Lab strongly believes the primary goal of the attack was to acquire information on the company’s newest technologies. The attackers appeared to look for the details behind the products like Kaspersky Lab’s Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network and Anti-APT solutions and services. Non-R&D departments (sales, marketing, communications, legal) were out of attackers’ interests.
• The information accessed by the attackers is in no way critical to the operation of the company’s products. Armed with information about this attack, Kaspersky Lab will continue to improve the performance of its IT security solutions portfolio.
• The attackers also showed a high interest in Kaspersky Lab’s current investigations into advanced targeted attacks.
• The attackers seem to have exploited up to three Zero Day vulnerabilities. Microsoft patched the remaining Zero Day (CVE-2015-2360) June 9 (MS15-061).

The malicious program used an advanced method to hide its presence in the system: The code of Duqu 2.0 exists only in computer’s memory and tries to delete all traces on the hard drive.

“Reporting such incidents is the only way to make the world more secure. This helps to improve the security design of enterprise infrastructure and sends a straightforward signal to developers of this malware: all illegal operations will be stopped and prosecuted,” Kaspersky said. “The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly. We will always report attacks regardless of their origin.”

Click here to download the technical paper.