Tor Used with New Malware

Wednesday, November 19, 2014 @ 01:11 PM gHale

New malware distributed through an exit node on the Tor anonymity network could be a relative of MiniDuke, researchers said.

Last month, a researcher with the Leviathan Security Group found a Russia-based Tor exit node had been patching files with malware, said researchers at F-Secure. By wrapping legitimate files with malware, the attackers increased their chances of bypassing security.

Tor Exit Node Modifying Files
Updated Malware Using Tor
Industrial Software Site Attacked
Targeted Attack: Device Maker Hit

After analyzing files served through this exit node, F-Secure researchers found they all contained the same piece of malware, which they called “OnionDuke.”

OnionDuke is a malware family distributed via the Tor network since at least October 2013. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites.

F-Secure researches feel the OnionDuke family is older since they have found evidence the samples they analyzed are actually version 4 of the malware. Researchers haven’t yet identified any of the older versions, but the timestamps on the oldest OnionDuke binaries they have analyzed were from July 5 and July 15, 2013, F-Secure said.

OnionDuke is a separate family from MiniDuke, a sophisticated malware family with Russian roots that works in advanced persistent threat (APT) campaigns against government organizations. However, researchers found the two threats have a connection through their command and control (C&C) infrastructure.

In the attacks monitored by F-Secure, attackers used the Tor exit node to distribute the OnionDuke dropper, detected as Trojan-Dropper:W32/OnionDuke.A. The dropper contains a PE resource that appears to be an embedded GIF image file, but in reality it’s a DLL file that’s decrypted, written to the disk, and executed.

The DLL file, detected as Backdoor:W32/OnionDuke.B, decrypts the embedded configuration file and attempts to connect to the hardcoded C&C domains specified in it.

“From these C&Cs the malware may receive instructions to download and execute additional malicious components. It should be noted, that we believe all five domains contacted by the malware are innocent websites compromised by the malware operators, not dedicated malicious servers,” F-Secure’s Artturi Lehtiö said in a blog post.

Another component identified by researchers is Backdoor:W32/OnionDuke.A. This threat contains different hardcoded C&C domains. This is the sample where F-Secure was able to make the connection to MiniDuke. Experts also believe this variant might be using Twitter as an additional C&C channel.

According to F-Secure, OnionDuke has seen action in targeted attacks aimed at government agencies in Europe. However, experts haven’t been able to determine the distribution vector utilized in these attacks.

Leave a Reply

You must be logged in to post a comment.