The Duqu 2.0 malware tool used in the recently disclosed attack against security vendor Kaspersky Lab shows a level of sophistication rarely seen in malicious software, security researchers said.

Duqu 2.0: State-of-the-Art Malware

On June 10, Kaspersky Lab disclosed that it had recently discovered and mitigated what CEO Eugene Kaspersky described on Forbes as a very well-planned and sophisticated attack on its networks, possibly carried out by a state-sponsored group. The threat actors behind the attack managed to gain access to data on Kaspersky’s research and development projects and new technologies but did not cause any disruption to the company’s products or services.

Enterprises should take note of the enormous skills and resources that adversaries have begun putting into tools for breaking into networks and stealing data, or for spying, corporate espionage and other malicious purposes, researchers cautioned.

“It’s safe to say that Duqu 2.0 represents both the state-of-the-art and the minimum bar for cyber operations,” Tod Beardsley, engineering manager at Rapid7, told Infosecurity Magazine. The malware is “precisely where we should expect any serious national cyber offensive capability to be.”

Lateral Movement

A technical paper released by Kaspersky Lab said the initial attack began with the targeting of one of its employees in the Asia-Pacific region. The attackers appear to have used spear phishing to gain access to the employee’s computer and infect it through what was most likely a zero-day exploit.

They then exploited another zero-day vulnerability in several versions of Microsoft Windows Server software (CVE-2014-6324) to gain domain administrator privileges and infect other systems on the company’s networks using Windows Installer (MSI) files. MSI is typically used to distribute software on remote systems but in this case was used by the attackers to move laterally across Kaspersky’s network. The Microsoft vulnerability was patched in November 2014 but was unknown at the time of this attack.

The cyberattack did not leave behind any disk files, nor did it change any system settings. Instead, the malware, which was used to steal data, resided entirely in memory, making it almost impossible to detect, Kaspersky Lab noted in its report.

“Its ‘persistence mechanism’ (or, rather, its absence) is quite brilliant,” Kaspersky added in Forbes. The tactics used in the strike suggested that some very serious thinking, effort and funds were put into developing the Duqu 2.0 campaign, he said.

The espionage tool applied in the Kaspersky attack appears to have been used to assault several other organizations as well, security vendor Symantec said in a report. Symantec’s assessment of the malware aligns with Kaspersky’s analysis that Duqu 2.0 is an evolution of the older Duqu worm, the company said.

A Duqu Variant

Duqu, which some have compared to the Stuxnet worm used in the attack on Iran’s nuclear power plant in Natanz, was first discovered in 2011. The malware was used for highly targeted intelligence-gathering purposes and contained a lot of code from the original Stuxnet malware.

Both Duqu and its latest iteration share a lot of the same code, Kaspersky and Symantec noted in their respective analysis of the malware. But the new Duqu has two variants: One of them appears to be a basic back door that is designed to give attackers an initial foothold on a victim network; the second variant contains multiple modules that allow attackers to gather system information, steal data, do network discovery, infect other computers and communicate with command-and-control servers. It is this variant that is deployed on systems deemed of interest to the attackers, Symantec said.

The emergence of tools like the new Duqu 2.0 highlight the challenges companies face in defending against modern malware. If organizations don’t have the tools or response plans in place to respond to a long-term campaign similar to Duqu 2.0, they are setting themselves up for data breaches, compromises and other dangerous situations.