• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

 | 

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Malware
  • DuneQuixote campaign targets the Middle East with a complex backdoor

DuneQuixote campaign targets the Middle East with a complex backdoor

Pierluigi Paganini April 21, 2024

Threat actors target government entities in the Middle East with a new backdoor dubbed CR4T as part of an operation tracked as DuneQuixote.

Researchers from Kaspersky discovered the DuneQuixote campaign in February 2024, but they believe the activity may have been active since 2023.

Kaspersky discovered over 30 DuneQuixote dropper samples used in the campaign. The experts identified two versions of the dropper, regular droppers (in the form of an executable or a DLL file) and tampered installer files for a legitimate tool named “Total Commander.”

The droppers were employed to download a backdoor tracked as “CR4T”. The experts detected only two CR4T implants, but they speculate the existence of many other variants which may be completely different malware.

The threat actors behind the DuneQuixote campaign took steps to prevent collection and analysis the implants through the implementation of practical and well-designed evasion methods.

The dropper connects to an embedded command-and-control (C2), whose address is hardcoded in the malicious code and is decrypted using a unique technique to prevent its exposure to automated malware analysis tools.

“The initial dropper is a Windows x64 executable file, although there are also DLL versions of the malware sharing the same functionality. The malware is developed in C/C++ without utilizing the Standard Template Library (STL), and certain segments are coded in pure Assembler.” reads the analysis published by Kaspersky. “The dropper then proceeds to decrypt the C2 (Command and Control) address, employing a unique technique designed to prevent the exposure of the C2 to automated malware analysis systems. This method involves first retrieving the filename under which the dropper was executed, then concatenating this filename with one of the hardcoded strings from Spanish poems. Following this, the dropper calculates the MD5 hash of the concatenated string, which is then used as a key for decrypting the C2 string.”

The threat actors used strings in these functions consisting of excerpts from Spanish poems. The strings differ from one sample to another, altering the signature of each sample to avoid detection through conventional methods. Then, after executing decoy functions, the malware constructs a framework for the required API calls. This framework is filled with offsets of Windows API functions, resolved through various techniques.

The dropper calculates the MD5 hash of the combined string and uses it as the key to decode the C2 server address. Then the dropper connects with the C2 server and downloads a next-stage payload.

The researchers noticed that the payload can only be downloaded once per victim or is only accessible for a short period after a malware sample is released, for this reason, researchers were unable to obtain most of the payload implants from active C2 servers.

The Total Commander installer dropper is designed to appear like a genuine Total Commander software installer but includes additional malicious components. These alterations invalidate the official digital signature of the Total Commander installer. This version of the dropper maintains the core functionality of the initial dropper but excludes Spanish poem strings and decoy functions. Additionally, it incorporates anti-analysis measures and checks to prevent connections to C2 resources.

The experts also spotted a Golang version of the CR4T implant that shares similar capabilities with the C version. It includes a command line console for machine interaction, file download/upload functions, and command execution capabilities. Notably, the malware can create scheduled tasks using the Golang Go-ole library, which interfaces with the Windows Component Object Model (COM) for Task Scheduler service interaction.

The malware achieves persistence through the COM objects hijacking technique. The malware uses the Telegram API for C2 communications, implementing the public Golang Telegram API bindings. All the interactions are similar to the C/C++ version.

“The “DuneQuixote” campaign targets entities in the Middle East with an interesting array of tools designed for stealth and persistence. Through the deployment of memory-only implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, the attackers demonstrate above average evasion capabilities and techniques.” concludes the report. “The discovery of both C/C++ and Golang versions of the CR4T implant highlights the adaptability and resourcefulness of the threat actors behind this campaign.“

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)


facebook linkedin twitter

DuneQuixote Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 13, 2025
Wing FTP Server flaw actively exploited shortly after technical details were made public
Read more
Pierluigi Paganini July 13, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Wing FTP Server flaw actively exploited shortly after technical details were made public

    Hacking / July 13, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

    Breaking News / July 13, 2025

    Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 13, 2025

    McDonald’s job app exposes data of 64 Million applicants

    Hacking / July 12, 2025

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Cyber Crime / July 11, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT