June 12, 2015 By Jaikumar Vijayan 3 min read

The Duqu 2.0 malware tool used in the recently disclosed attack against security vendor Kaspersky Lab shows a level of sophistication rarely seen in malicious software, security researchers said.

Duqu 2.0: State-of-the-Art Malware

On June 10, Kaspersky Lab disclosed that it had recently discovered and mitigated what CEO Eugene Kaspersky described on Forbes as a very well-planned and sophisticated attack on its networks, possibly carried out by a state-sponsored group. The threat actors behind the attack managed to gain access to data on Kaspersky’s research and development projects and new technologies but did not cause any disruption to the company’s products or services.

Enterprises should take note of the enormous skills and resources that adversaries have begun putting into tools for breaking into networks and stealing data, or for spying, corporate espionage and other malicious purposes, researchers cautioned.

“It’s safe to say that Duqu 2.0 represents both the state-of-the-art and the minimum bar for cyber operations,” Tod Beardsley, engineering manager at Rapid7, told Infosecurity Magazine. The malware is “precisely where we should expect any serious national cyber offensive capability to be.”

Lateral Movement

A technical paper released by Kaspersky Lab said the initial attack began with the targeting of one of its employees in the Asia-Pacific region. The attackers appear to have used spear phishing to gain access to the employee’s computer and infect it through what was most likely a zero-day exploit.

They then exploited another zero-day vulnerability in several versions of Microsoft Windows Server software (CVE-2014-6324) to gain domain administrator privileges and infect other systems on the company’s networks using Windows Installer (MSI) files. MSI is typically used to distribute software on remote systems but in this case was used by the attackers to move laterally across Kaspersky’s network. The Microsoft vulnerability was patched in November 2014 but was unknown at the time of this attack.

The cyberattack did not leave behind any disk files, nor did it change any system settings. Instead, the malware, which was used to steal data, resided entirely in memory, making it almost impossible to detect, Kaspersky Lab noted in its report.

“Its ‘persistence mechanism’ (or, rather, its absence) is quite brilliant,” Kaspersky added in Forbes. The tactics used in the strike suggested that some very serious thinking, effort and funds were put into developing the Duqu 2.0 campaign, he said.

The espionage tool applied in the Kaspersky attack appears to have been used to assault several other organizations as well, security vendor Symantec said in a report. Symantec’s assessment of the malware aligns with Kaspersky’s analysis that Duqu 2.0 is an evolution of the older Duqu worm, the company said.

A Duqu Variant

Duqu, which some have compared to the Stuxnet worm used in the attack on Iran’s nuclear power plant in Natanz, was first discovered in 2011. The malware was used for highly targeted intelligence-gathering purposes and contained a lot of code from the original Stuxnet malware.

Both Duqu and its latest iteration share a lot of the same code, Kaspersky and Symantec noted in their respective analysis of the malware. But the new Duqu has two variants: One of them appears to be a basic back door that is designed to give attackers an initial foothold on a victim network; the second variant contains multiple modules that allow attackers to gather system information, steal data, do network discovery, infect other computers and communicate with command-and-control servers. It is this variant that is deployed on systems deemed of interest to the attackers, Symantec said.

The emergence of tools like the new Duqu 2.0 highlight the challenges companies face in defending against modern malware. If organizations don’t have the tools or response plans in place to respond to a long-term campaign similar to Duqu 2.0, they are setting themselves up for data breaches, compromises and other dangerous situations.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today