A few days ago, the security industry was surprised by the discovery of a new strain of the popular Duqu worm, so called Duqu 2.0. The most disconcerting fact related to the discovery of the malware is that Duqu 2.0 was used to hack systems at Kaspersky Lab. A security firm was compromised by a malicious agent that experts consider a government malware.
Experts at CrySySLab who analyzed the strain of Duqu 2.0 that infected systems at Kaspersky Lab in May 2015 speculated that the group is still active.
“After analyzing the samples that we received, we think that the attackers behind the Duqu malware are back and active,” CrySySLab concludes.” states the analysis from CrySySLab.
Despite Duqu 2.0 have many similarities with its predecessor, the new strain of the popular malware is considered by researchers very dangerous, experts defined it stealthy and difficult to detect because it is solely resident in the computer’s memory, leaving no traces to the disk. Duqu 2.0 works as a backdoor into the infected system and once running exfiltrate data sending it back to the C&C servers.
Duqu 2.0 infected systems of a large number of targets in several countries, including US, UK, Sweden, many other victims are in Asia and North Africa.
As usually happens in government malware, also Duqu 2.0 malware exploited three different zero-day vulnerabilities. Another singularity of the malware is the way it sends data back to the C&C servers, according to the experts at Kaspersky Lab attackers infected network gateways and firewalls by installing malicious drivers that proxy all the internal traffic to the C&C servers.
Eugene Kaspersky, CEO of the security firm, defined the Duqu 2.0 campaign high sophisticated and “almost invisible.”
Kaspersky described Duqu 2.0 as a “mix of Alien, Terminator and Predator, in terms of Hollywood”.
“They wanted to prove themselves that they’re cool, so they’re able to affect a leading security IT company,” Kaspersky said. “That was a mistake. I’m afraid that the costs of this project, cyber attack, could be ten million dollars, maybe more.”
But security experts have a different opinion, threat actors behind Duqu 2.0 have targeted the company to steal information about its activities and related to detection mechanisms implemented by the security firm.
Researchers also speculate that threat attackers were interested in the current investigations of the company on APT groups.of its activities and related to detection mechanisms implemented by the security firm.
“They were watching, but they were watching only the information related to virus research and technologies – how do we find malware in the internet, in other customers’ computers, and how we process this malware, and which kind of malware is manually processed.” explained Eugene Kaspersky.
Tod Beardsley, an engineering manager at Rapid7, highlighted the incident at Kaspersky is an alert for the entire security industry.
“Kaspersky has a reputation for being one of the most capable detection and defence organisations in the world, and the fact that they were compromised is a sobering reminder that the gap between offense and defence is, today, massively lopsided in favour of the attacker.” said Beardsley.
Who is behind Duqu 2.0?
The problem of attribution for a cyber attack is hard to solve, an attacker could introduce false flags in order to deceive the investigators, according to Mikko Hypponen bad actors behind Duqu 2.0 adopted a similar tactic by adding one of the drivers that contain the string “ugly.gorilla” used by the Chinese APT known as Comment Crew.
Duqu 2.0 included several false flags: one of the drivers contains string “ugly.gorilla” which is a reference to Comment Crew. From China.
— Mikko Hypponen (@mikko) 10 Giugno 2015
Security experts sustain that Duqu was the product of a joint effort of the NSA Tao and the Israeli Unit 8200, it’s obvious that both intelligence agencies are suspected also for Duqu 2.0. The analysis published by Kaspersky revealed that Duqu 2.0 was not designed by the Equation Group, this means that Israel is the prime suspect for the campaign. The same opinion is shared by Richard Bejtlich of FireEye.
Based only on multiple elements of the @KimZetter story of @kaspersky intrusion, it seems that “Duqu 2.0” might be an Israeli campaign.
— Richard Bejtlich (@taosecurity) 10 Giugno 2015
Stay Tuned!
(Security Affairs – Duqu 2.0, malware)