A Little History
Duqu is a class of malware, commonly referred to as a worm, that is a standalone malicious program that may affect (or attach to) the machines it uses to replicate itself while it uses the network to spread itself to other computers. Duqu was originally discovered in 2011 by the Laboratory of Cryptography and System Security (CrySyS Lab) and was determined to be part of class or family of malware related to the famous Stuxnet worm discovered in 2010. After its discovery and subsequent protection made available throughout the Information Security community, Duqu went dormant for several years. This dormant period has ended and Kaspersky Lab (Kaspersky) detected and identified a new version of Duqu, which included updates to help avoid detection among other things, giving it the name Duqu 2.0.
Kaspersky first discovered Duqu 2.0 when it was used as part of an attack targeting their internal networks. Kaspersky researchers were working on a new advanced persistent threat technology and casually came across the breach of their internal network. The initial attack, Kaspersky believes, began with targeting of an employee in one of their smaller offices in the APAC region in the fall of 2014. The initial attack vector used is still unknown however Kaspersky suspects it to be spear phishing emails, or targeted malicious emails that appear to be from a trustworthy source, as the identified employee used as the entry point into their network has their mailbox and web browser history wiped to hide traces of the attack. A zero-day exploit was used to compromise the computer to gain escalated privileges as all machines were fully patched where this new version of Duqu was installed. From this point, the attackers could create a pivot point and move laterally through Kaspersky’s network.
How it Works
Duqu 2.0 is advanced malware with two distinct variants that have been identified as of this writing. The first is a smaller sized variant and contains a basic backdoor that could be used by an attacker to gain a persistent foothold by infecting other computers inside a company’s network. The second is larger sized variant that contains some complexity to it. It contains the same backdoor as the first variant however adds additional modules for purposes such as information gathering / stealing, network discovery / infection, and communication command-and-control (C&C) servers. According to Symantec, the variant appears to be deployed on computers that are of interest by the attackers.
To gain access, Duqu 2.0 took advantage of three identified zero-day vulnerabilities all of which have now been patched by Microsoft. The three vulnerabilities used as of this writing were CVE-2014-4148 (TrueType Font Parsing Remote Code Execution Vulnerability), CVE-2014-6324 (Kerberos Checksum Vulnerability) and CVE-2015-2360 (Win32k Elevation of Privilege Vulnerability). In the case with all three of these vulnerabilities, the attacker could gain escalated privileges (i.e., kernel-mode code execution or domain admin privileges depending on the vulnerability) on the target system allowing the attacker to install their malicious code. According to the report issued by Kaspersky, attackers used CVE-2014-4148 to gain access during their spear phishing attack and subsequently CVE-2014-6324 for lateral movement within Kaspersky’s network. To infect other computers within the network, the most common practice observed was preparing a Microsoft Windows Installer Package (MSI) and then deploying it to remote machines. This involved using encryption algorithms such as Camellia, AES and RC4 and compression algorithms such as LZF, FastLZ and LZO. Kaspersky, during their research, noted that attackers were careful enough to implement unique methods and names for each attack to help increase the likelihood of not being detected.
Duqu 2.0 has been authored to avoid detection as best as possible. To do this, it resides solely in the computer’s memory with no files being written to disk leaving Duqu 2.0 without traditional persistence avenues. To maintain persistence (as a reboot to remove the malware), the authors of Duqu 2.0 added a level of sophistication that was well planned. Duqu 2.0 infects servers with high uptime that allows it to then re-infect a machine within the Windows domain upon startup that has been “disinfected” by reboot. The only exception to this is systems identified to be firewalls, gateways (such as proxies) or any other type of server that has Internet access. These identified systems had a driver installed, named “portserv.sys”, which is digitally signed using stolen trusted certificates from Hon Hai Precision Industry Company Ltd (i.e., Foxconn Electronics). Drivers signed by Foxconn are inherently trusted by Microsoft Windows due to the volume of products and devices manufactured by Foxconn for customers like Dell, Google and Apple. This allowed this malicious driver to avoid detection from most anti-malware solutions as they generally do not detect new drivers as malicious if trusted by the operating system. This driver deployment covered the scenario where all systems lost power or were rebooted at the same time thus causing the malware to be removed from all systems at the same time. From one system with Internet connectivity, the attackers could redeploy their entire environment and regain access.
Command-and-control (C&C) mechanisms for Duqu 2.0 are also considered to be highly sophisticated and include masking C&C traffic within image files. There are two harmless images that encrypted C&C communications can be appended to. The first is an 11x11 pixel yellow GIF and the second is a 33x33 blue JPEG. These files are sent over the network using HTTP. Multiple user-agent strings have been detected which adds to the complexity of the Duqu 2.0 C&C communications. Newly infected clients may not initially be hardcoded to join the C&C group with the installation of the MSI package thus leaving them in a dormant state. Attackers can activate the dormant members of the C&C group with a special TCP packet sent over SMB containing the magic string “tttttttttttttttt”. The newly active member of the C&C group will communicate with whom it was told to as a part of the MSI package when it was installed.
Beyond Kaspersky, Duqu 2.0 was believed to have ties to the recent P5+1 events and venues where negotiations with Iran were being held with respect to a nuclear deal. Also, the threat actor group using Duqu 2.0 may have launched similar attacks in relation to the 70th anniversary of the liberation of Auschwitz-Birkenau. Symantec has also found evidence linking Duqu 2.0 targeted attacks to other organizations including a European telecoms operator, a North African telecoms operator and a South East Asian electronic equipment manufacturer.
After widespread knowledge of the original Duqu, the authors went dormant, or at least took this malware dormant, for 3-4 years until re-launching this new version. Symantec, along with others, believe the group behind Duqu are behind Duqu 2.0 and may now retreat again before emerging with new malware.
Duqu 2.0 has reached a level of widespread knowledge with its more complex variant having a detection ratio of 44/55 on VirusTotal and 33/44 on Metascan Online. The future of Duqu 2.0 is unknown. History may repeat itself.
Test, Monitor and Protect
Solutions such as Avalanche NEXT, powered by Spirent TestCloud, allows enterprises and service providers to validate how secure they are against the latest malware and attacks. Learn about your weaknesses before they do.
 Duqu 2.0, Laboratory of Cryptography and System Security, CrySyS Blog, Online
 P5+1 Negotiations with Iran, The White House News and Updates, Online
 Analysis of 3F52EA949F2BD98F1E6EE4EA1320E80D.DL$, Metascan Online, Online