OnionDuke: APT Attacks exploited the Tor Network

Pierluigi Paganini November 16, 2014

Experts at F-Secure discovered a link between the crew operating a rogue Tor node used to spread OnionDuke malware and MiniDuke APT.

A few weeks ago the security research Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that is patching the binaries downloaded by the users with malware.

The researcher informed officials of the Tor Project, who flagged the Tor exit node as bad.

“We’ve now set the BadExit flag on this relay, so others won’t accidentally run across it. We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play,” wrote Roger Dingeldine, one of the original developers of Tor. 

The officials with the privacy service immediately shut down the malicious Tor exit node, new investigations on the case reveal that the threat actors that managed the node is serving malware through the explained scheme for more than a year.

exit node serving OnionDuke malware

Pitts discovered the that attackers abused of the Tor exit node to serve backdoor to the victim’s PC, during file download, through a man-in-the middle attack.

Security experts at F-Secure discovered that the rogue exit node was tied to the MiniDuke criminal crew, MiniDuke is the name of a sophisticated cyber espionage campaign discovered more than one year ago by experts at Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security (CrySyS). The MiniDuke APT infected dozens of machines at government agencies across Europe exploiting a security flaw in Adobe software, the malicious Payload is dropped once the victim opens the malicious PDF file.

The malware was designed to steal sensitive information from government organizations and high profile entities, the level of sophistication and the nature of the chosen targets suggest that the attacks are part of a state-sponsored espionage campaign.
The backdoor coding style used by threat actor reminds to the experts a malware writing group which is believed to be extinct: 29A. The value 29A in hex means 666, and perhaps not unsurprisingly, was also left by the attackers as a clue in the code.
29A group published its first malware magazine in December 1996 and were active until February 2008, when Virusbuster, the last standing man announced the group’s dismissal.
“Their use of multiple levels of encryption and clever coding tricks made the malware hard to detect and difficult to reverse engineer. The code also contained references to Dante Alighieri’s Divine Comedy and alluded to 666, the “mark of the beast” discussed in the biblical Book of Revelation.” wrote Ars technical in a blog post.

According to the experts, “OnionDuke,” this is the name assigned to the malware spread through the bogus exit node, is a malware different from the ones used in the past by the threat actor behind the MiniDuke crew.

It must be noted that all five domains contacted by the OnionDuke aren’t dedicated malicious servers, instead they are legitimate websites compromised by threat actors.

The experts identified different sample of the malware and multiple other components of the OnionDuke malware family, which were designed to execute specific tasks like the data stealing.

“Through our research, we have also been able to identify multiple other components of the OnionDuke malware family. We have, for instance, observed components dedicated to stealing login credentials from the victim machine and components dedicated to gathering further information on the compromised system like the presence of antivirus software or a firewall.” states the post. “Most of these components don’t embed their own C&C information but rather communicate with their controllers through the original backdoor process”

Anyway the analysis of the various samples allowed the researchers at F-Secure to discover the link with the MiniDuke gang, the owner of the Command & Control (C&C) server used to manage the a sample of the OnionDuke malware spread through the malicious exit node, W32/OnionDuke.A, is the same that was involved of MiniDuke agent.

This circumstance suggests that although OnionDuke and MiniDuke are two separate strains of malware, the threat actors behind them shared the control infrastructure.

 “One component, however, is an interesting exception. This DLL file (SHA1 d433f281cf56015941a1c2cb87066ca62ea1db37, detected asBackdoor:W32/OnionDuke.A) contains among its configuration data a different hardcoded C&C domain, overpict.com and also evidence suggesting that this component may abuse Twitter as an additional C&C channel. What makes the overpict.com domain interesting, is it was originally registered in 2011 with the alias of “John Kasai”. Within a two-week window, “John Kasai” also registered the following domains: airtravelabroad.com, beijingnewsblog.net, grouptumbler.com, leveldelta.com, nasdaqblog.net, natureinhome.com, nestedmail.com, nostressjob.com, nytunion.com, oilnewsblog.com, sixsquare.net and ustradecomp.com. This is significant because the domains leveldelta.com and grouptumbler.com have previously been identified as C&C domains used by MiniDuke. ” reports F-Secure in the blog post.

The experts suggest the used of encrypted channels to avoid manipulation of the binaries, as occurred for the spread of OnionDuke malware.

“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” said Pitts.

All my readers that are interested to analyze samples of the malware could read the post published on Contagio.

Pierluigi Paganini

(Security Affairs –  OnionDuke, Tor)

you might also like

leave a comment