Authors of Duqu 2.0 used a stolen digital certificate in attacks

Malware authors behind the Duqu 2.0 used a stolen certificate from the Foxconn company to implement a persistence mechanism and stay stealthy.

New details emerge from the investigation conducted by the experts at Kaspersky on the Duqu 2.0 malware that targeted the systems of the company, the threat actors used valid certificate from Hon Hai Precision Industry Co. LTD (aka Foxconn Technology Group) to digitally sign the malicious code.

According to the malware researchers at Kaspersky, the digital certificate was issued by VeriSign and used the authors of Duqu 2.0 to digitally sign the source code of a driver designed to mask command-and-control traffic.

Foxconn provides electronic components for a wide number of companies, including Apple and BlackBerry.

The majority of Duqu 2.0 infections was observed between 2014 and 2015 concurrently to the negotiations on the Iranian nuclear program engaged by the P5+1 (the United States, United Kingdom, Germany, France, Russia, and China, facilitated by the European Union) with Iran.

“The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme. This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks.” states a blog post published by the Kaspersky Lab’s Global Research & Analysis Team (GReAT).

The researchers discovered that the threat actors installed malicious digitally signed drivers for network devices to interfere with traffic routing.

 

“During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on the other side. By using them, they can achieve several goals at a time: access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.” continues the post.

“In essence, the drivers are redirecting network streams to and from the gateway machine that runs it,” the researchers explained. “To forward connections, the attacker first has to pass a network-based “knocking” mechanism by using a secret keyword. We have seen two different secret keywords in the samples we collected so far: “romanian.antihacker” and “ugly.gorilla”.”

The used of digitally signed code seeming to be a prerogative of threat actor behind Duqu, the attackers haven’t used the same digital signature more than once.

“Another interesting observation is that besides these Duqu drivers we haven’t uncovered any other malware signed with the same certificates,” the researchers continued. “That rules out the possibility that the certificates have been leaked and are being used by multiple groups. It also seems to indicate the Duqu attackers are the only ones who have access to these certificates, which strengthens the theory they hacked the hardware manufacturers in order to get these certificates.”

Stay tuned!

Pierluigi Paganini

(Security Affairs – Duqu 2.0,  malware)