Categories: Cyber CrimeMalware

OnionDuke: APT Attacks exploited the Tor Network

Experts at F-Secure discovered a link between the crew operating a rogue Tor node used to spread OnionDuke malware and MiniDuke APT.

A few weeks ago the security research Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that is patching the binaries downloaded by the users with malware.

The researcher informed officials of the Tor Project, who flagged the Tor exit node as bad.

“We’ve now set the BadExit flag on this relay, so others won’t accidentally run across it. We certainly do need more people thinking about more modules for the exitmap scanner. In general, it seems like a tough arms race to play,” wrote Roger Dingeldine, one of the original developers of Tor. 

The officials with the privacy service immediately shut down the malicious Tor exit node, new investigations on the case reveal that the threat actors that managed the node is serving malware through the explained scheme for more than a year.

Pitts discovered the that attackers abused of the Tor exit node to serve backdoor to the victim’s PC, during file download, through a man-in-the middle attack.

Security experts at F-Secure discovered that the rogue exit node was tied to the MiniDuke criminal crew, MiniDuke is the name of a sophisticated cyber espionage campaign discovered more than one year ago by experts at Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security (CrySyS). The MiniDuke APT infected dozens of machines at government agencies across Europe exploiting a security flaw in Adobe software, the malicious Payload is dropped once the victim opens the malicious PDF file.

The malware was designed to steal sensitive information from government organizations and high profile entities, the level of sophistication and the nature of the chosen targets suggest that the attacks are part of a state-sponsored espionage campaign.
The backdoor coding style used by threat actor reminds to the experts a malware writing group which is believed to be extinct: 29A. The value 29A in hex means 666, and perhaps not unsurprisingly, was also left by the attackers as a clue in the code.
29A group published its first malware magazine in December 1996 and were active until February 2008, when Virusbuster, the last standing man announced the group’s dismissal.
“Their use of multiple levels of encryption and clever coding tricks made the malware hard to detect and difficult to reverse engineer. The code also contained references to Dante Alighieri’s Divine Comedy and alluded to 666, the “mark of the beast” discussed in the biblical Book of Revelation.” wrote Ars technical in a blog post.

According to the experts, “OnionDuke,” this is the name assigned to the malware spread through the bogus exit node, is a malware different from the ones used in the past by the threat actor behind the MiniDuke crew.

It must be noted that all five domains contacted by the OnionDuke aren’t dedicated malicious servers, instead they are legitimate websites compromised by threat actors.

The experts identified different sample of the malware and multiple other components of the OnionDuke malware family, which were designed to execute specific tasks like the data stealing.

“Through our research, we have also been able to identify multiple other components of the OnionDuke malware family. We have, for instance, observed components dedicated to stealing login credentials from the victim machine and components dedicated to gathering further information on the compromised system like the presence of antivirus software or a firewall.” states the post. “Most of these components don’t embed their own C&C information but rather communicate with their controllers through the original backdoor process”

Anyway the analysis of the various samples allowed the researchers at F-Secure to discover the link with the MiniDuke gang, the owner of the Command & Control (C&C) server used to manage the a sample of the OnionDuke malware spread through the malicious exit node, W32/OnionDuke.A, is the same that was involved of MiniDuke agent.

This circumstance suggests that although OnionDuke and MiniDuke are two separate strains of malware, the threat actors behind them shared the control infrastructure.

 “One component, however, is an interesting exception. This DLL file (SHA1 d433f281cf56015941a1c2cb87066ca62ea1db37, detected asBackdoor:W32/OnionDuke.A) contains among its configuration data a different hardcoded C&C domain, overpict.com and also evidence suggesting that this component may abuse Twitter as an additional C&C channel. What makes the overpict.com domain interesting, is it was originally registered in 2011 with the alias of “John Kasai”. Within a two-week window, “John Kasai” also registered the following domains: airtravelabroad.com, beijingnewsblog.net, grouptumbler.com, leveldelta.com, nasdaqblog.net, natureinhome.com, nestedmail.com, nostressjob.com, nytunion.com, oilnewsblog.com, sixsquare.net and ustradecomp.com. This is significant because the domains leveldelta.com and grouptumbler.com have previously been identified as C&C domains used by MiniDuke. ” reports F-Secure in the blog post.

The experts suggest the used of encrypted channels to avoid manipulation of the binaries, as occurred for the spread of OnionDuke malware.

“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” said Pitts.

All my readers that are interested to analyze samples of the malware could read the post published on Contagio.

Pierluigi Paganini

(Security Affairs –  OnionDuke, Tor)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

2 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

9 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

21 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.