In October 2014, Leviathan Security Group disclosed that a Russia based Tor exit node was attaching malware onto the files that passed through it by wrapping legitimate executables with the malware executable. The technique increased the attacker’s chance of bypassing integrity check mechanisms. The malware campaign is believed to have been active from at least February 2013 through spring 2015. OnionDuke does not operate like the other Duke campaigns; however, it does share some C&C infrastructure with the MiniDuke attacks. Moreover, unshared domains in both campaigns were registered using the same alias, John Kasai. As such, it stands to reason that OnionDuke is another Russian sponsored APT group.
OnionDuke attacks target government agencies in Central Europe. However, because it is unlikely that European government agencies are accessing Tor from their high value systems, the secondary distribution vector of the malware remains unclear. The malware has also been found targeting pirated software. It is possible that the campaign distributes the malware through scattershot attacks via the Tor network and torrent sites and through another yet unobserved vector, such as phishing or wateringhole attacks. The infection of Tor files appears to fail if the victim users a VPN channel that encrypts traffic. Systems infected with CozyDuke may be infected with OnionDuke if the former malware is used to deliver and execute the latter malware’s dropper. It is possible that the OnionDuke attacks were conducted to infect a broad range of target to gather information for the other Duke campaigns and to build a botnet for the adversary.
When traffic passes through the infected node, the dropperTrojan-Dropper:W32/OnionDuke.A, is appended onto the legitimate files. The dropper contains a PE resource which appears as an embedded .GIF image file. In actuality, the resource is a .DLL file, Backdoor:W32/OnionDuke.B, which is then decrypted, written to disk, and executed. Next, the DLL decrypts an embedded configuration file, which attempts to contact a hardcoded C&C domain through HTTP(s) or through Twitter (if HTTP(s) fails). The domains appear to be legitimate websites that were compromised to deliver instructions and additional components to the malware. OnionDuke, like CozyDuke, is built upon a modular platform that was designed for versatility. The toolset delivered from the C&C server contains the information stealer, a DDOS module, a password stealing module, an information gathering module, and a social network (VKontakte) spamming component.