Duqu 2.0 – The cyber war continues on a new level

Hello Security-Ninjas,

recently i blogged already how important it is to apply today’s threat intelligence information to historical data. I gave the example the Duqu malware, which contained a self destroy capability to remain hidden. It seems the hiding strategy has evolved to a new level…

What has happen?

Today (10th June) Kaspersky Labs announced that they have been attacked by a new version of Duqu. At the time of writing it has been imaginatively named Duqu 2.0. It’s a very sophisticated piece of cyber-espionage malware and speculation is that it was a nation-state behind the attack with an estimated cost to creation the malware of around $50 million. The entire malware platform relies heavily on zero-day vulnerabilities to jump into systems and from current research it doesn’t seem as if the objective of the attack is financial gain.

“This was a case of industrial espionage, plain and simple.”

Eugene Kaspersky on Forbes.com

How did it start?

The initial infection began through a targeted attack of an employee in one of their smaller APAC offices. The original infection vector for Duqu 2.0 is unknown, but they suspect a spear-phishing e-mail played an important role because they found indications like mailbox and web browser history was wiped to hide traces of the attack.

Why is it “very sophisticated” and new ?

It is one of the rare malware types the researchers found that purely lives in the memory of machines. The creators are using zero day exploits and are so sure that in the network is always a infected host online that is able to infect other systems with a vulnerability in case the memory is erased.

The creator of the malware seems to be very confident that they have a set of zero-day vulnerabilities that even if the current used vulnerability is patched they can exploit with the next unknown one in the same environment to remain in organizations.

It’s bizzar, cleaning an environment can be done by shutting down all systems or simulating a power outage. However if you miss one system that is infected and has Duqu 2.0 in memory it will re-infect the others once they’re online again.

Where can i learn more about Duqu 2.0?

Kaspersky Lab published a great tech paper about the technical details, what the malware looks like, what tools it uses, what capabilities it has and how it communicates.

How can i check if my environment is infected?

Kaspersky Researchers created an Indicator of Compromise (IOC) file. That one includes MD5 hashes from action loaders, MD5s from Cores and IP Address from Command and Control Servers. You can simply search for historic IP communication in your firewall logs with Splunk or if you have endpoint change/monitoring systems that give you MD5 hashes of started processes, then you can search them as well. If you use Splunk Enterprise Security you just need to download the IOC and feed it into Enterprise Security. Splunk Enterprise Security will automatically process the IOC and give you historic reports as well as real-time notifications in case you will be attacked in the near future.

What can i learn for my security strategy?

This is a good documented example of what threats organizations face today. You can learn how you can improve your strategy by using the kill chain methodology to defend against those kind of APT’s and finding them in different stages as early as possible.

Happy Splunking,

Matthias