DUQU

Duqu trojan was discovered on September 1, 2011 by CrySyS Lab of the Budapest University of Technology and Economics in Hungary. The code of the malware is very similar to Stuxnet worm and it is believed to be either the product of a sister-project or a derivative of the Stuxnet source code. In particular, the kernel driver of the malware is practically the same as the kernel driver of Stuxnet (commonly named JMINET.SYS and MRXCLS.SYS respectively). The former case implies that the malware was developed and deployed by a state sponsor, likely the United States or Israel. Meanwhile, the latter case expands attribution to practically any well-resourced actor on the internet.

Unlike Stuxnet worm, Duqu trojan was not meant to sabotage the host systems; instead, like most modern malware, its purpose was covert information exfiltration. The Duqu malware was found on similar target systems as Stuxnet, so it is reasonable to conclude that it was likely developed and deployed to collect information pertinent to current events or information necessary to launch future espionage or sabotage campaigns. Duqu primarily targeted the industrial infrastructure of system manufacturers, and the industrial sector in Middle Eastern countries. The adversary exfiltrates confidential documents such as design specifications and network information, likely to aid in future attack campaigns.

The Animal Farm trojans can be grouped into six families. The NBot malware is a standard botnet kit capable of enslaving systems and leveraging their resources in aggregate to conduct DDoS attacks. The EvilBunny trojan and its variants are validator trojans that were used in spear phishing attacks in 2011. The trojans were delivered through malicious PDF files through the 0-day exploitation of a vulnerability in Adobe reader. The trojan checks whether an emulator is running, what directory it is running from, whether its payload timestamp has been changed, and what time the API hook was detected. Bunny is designed as an execution platform for the attacker to inject Lua scripts into victim system processes.

The original Duqu trojan components exploited a zero-day Microsoft Windows 32k TrueType font vulnerability (CVE-2011-3402). The vulnerability permits the attacker to execute code at the highest privilege level. A portion of the malware, dubbed the “Duqu framework” by Kaspersky, appears to be written in C with a custom object oriented framework and compiled in Microsoft Visual Studio 2008. Duqu consists of an installer, a driver file, a DLL with embedded files, and a configuration file. The installer registers the driver as a service that starts at system initialization. The driver injects the DLL into the Windows process services.exe. From there, the DLL extracts the other components and injects them into other Windows processes. Sometimes the driver file is signed with a valid digital certificate to avoid detection.

Duqu trojan was typically configured to run on an infected machine for 30-36 days. Unlike Stuxnet (a worm), Duqu (a Trojan) does not replicate and spread on its own. It only spreads through additional breaches and targeted installation. In service to its espionage function, Duqu’s components mostly log keystrokes and system information. According to Kaspersky Lab, the Duqu operators were particularly intent on collecting passwords, stealing documents, and taking desktop screenshots The Infostealer component collects information and then stores it in a local encrypted and compressed file. At regular intervals or upon request, the file is attached to a dummy .jpeg file and uploaded from the infected host.

Duqu communicates with its C2C infrastructure through HTTP(s). Each attack, in at least eight different countries, used a different C&C server. The servers, likely proxies, forwarded all port 80 and port 443 traffic to other servers, which in turn forwarded traffic to other servers, and so on. The servers also contained at least three different DLLs and the infostealer component used to collect information from the infected hosts. Most of the known infrastructure went inactive when the malware was exposed.

In late 2015, Kaspersky reported the reemergence of the Duqu malware, targeting western countries as well as the Middle East and Asia. Many of the targets were affiliated with the P5+1 events and venues associated with the Iran nuclear deal negotiations. An event honoring the 70th anniversary of the liberation of Auschwitz-Birkenau may also have been targeted. The recent attacks leveraged new 0-day exploits including CVE-2015-2360, which targets the Windows kernel. Duqu 2.0 runs as kernel level code. The updated malware survives in the system memory of infected servers and re-downloads onto desirable hosts upon reboot. Duqu 2.0 was built on top of the original code; however, it now loads from an MSI file, and has at least 94 more plugins. The known plugins allow the adversary to customize the toolkit to the target environment to circumvent system security and incompatibilities. Newer components appear to be written in the C++ programming language.

It is unclear if the new version is deployed by the original team. Strings in the code suggest that the malware was developed by English speakers; however, a few minor spelling errors could suggest the involvement of non-native speakers. Additionally, Kaspersky observed a target system that was infected by both Duqu 2.0 and Equation group malware. This suggests a lack of coordination and possibly competing interests. Since the source code of Duqu was never made public, the revised version had to have been developed by the one of the original authors. If Duqu was developed by both the United States and Israel, and if Equation Group is not coordinating with Duqu, then one could postulate that Duqu 2.0 was developed by the Israeli development team in an effort to gain information about the US-Iran nuclear negotiations. Other explanations exist.