ONIONDUKE

In October 2014, Leviathan Security Group disclosed that a Russia based Tor exit node was attaching malware onto the files that passed through it by wrapping legitimate executables with the malware executable. The technique increased the attacker’s chance of bypassing integrity check mechanisms. The malware campaign is believed to have been active from at least February 2013 through spring 2015. OnionDuke does not operate like the other Duke campaigns; however, it does share some C&C infrastructure with the MiniDuke attacks. Moreover, unshared domains in both campaigns were registered using the same alias, John Kasai. As such, it stands to reason that OnionDuke is another Russian sponsored APT group.

OnionDuke attacks target government agencies in Central Europe. However, because it is unlikely that European government agencies are accessing Tor from their high value systems, the secondary distribution vector of the malware remains unclear. The malware has also been found targeting pirated software. It is possible that the campaign distributes the malware through scattershot attacks via the Tor network and torrent sites and through another yet unobserved vector, such as phishing or wateringhole attacks. The infection of Tor files appears to fail if the victim users a VPN channel that encrypts traffic. Systems infected with CozyDuke may be infected with OnionDuke if the former malware is used to deliver and execute the latter malware’s dropper. It is possible that the OnionDuke attacks were conducted to infect a broad range of target to gather information for the other Duke campaigns and to build a botnet for the adversary.

When traffic passes through the infected node, the dropperTrojan-Dropper:W32/OnionDuke.A, is appended onto the legitimate files. The dropper contains a PE resource which appears as an embedded .GIF image file. In actuality, the resource is a .DLL file, Backdoor:W32/OnionDuke.B, which is then decrypted, written to disk, and executed. Next, the DLL decrypts an embedded configuration file, which attempts to contact a hardcoded C&C domain through HTTP(s) or through Twitter (if HTTP(s) fails). The domains appear to be legitimate websites that were compromised to deliver instructions and additional components to the malware. OnionDuke, like CozyDuke, is built upon a modular platform that was designed for versatility. The toolset delivered from the C&C server contains the information stealer, a DDOS module, a password stealing module, an information gathering module, and a social network (VKontakte) spamming component.

Click to Share This Post

Type: Nation-State sponsor

Status: Active

Active Since/Discovered: February 2013

Last Report: Spring 2015

Targets: Central Europe

Target Sectors: Government

Malware:

OnionDuke Trojan
- Dropper – W32/OnionDuke.A
  - contains a PE resource which appears as an embedded .GIF image file
- Loader
- Backdoor
  - .DLL file – Backdoor:W32/OnionDuke.B
- Multiple modular core components
- Information stealer
- Distributed Denial of Service (DDoS) module
- Password stealing module
- Information gathering module
- Social network spamming module
- Uses HTTP(S) for C2
- uses Twitter as a backup C2 method
  - It also has a module designed to post messages to the Russian VKontakte social media site

Preferred Attack Vector: Tor/ Torrented files, CozyDuke

IoCs:

Communicates with C2 via HTTP(S) or Twitter (as a backup)
Shares some infrastructure with the MiniDuke campaign
- unshared domains in both campaigns were registered using the same alias, John Kasai

Unique:

Was originally spread via a malicious Tor exit node
- The Tor node would intercept any unencrypted executable files being downloaded and modify those executables by adding a malicious wrapper containing an embedded OnionDuke
- OnionDuke was executed and installed prior to the target’s executable
Has also been wrapped around Torrent files