June 12, 2015 By Jaikumar Vijayan 3 min read

The Duqu 2.0 malware tool used in the recently disclosed attack against security vendor Kaspersky Lab shows a level of sophistication rarely seen in malicious software, security researchers said.

Duqu 2.0: State-of-the-Art Malware

On June 10, Kaspersky Lab disclosed that it had recently discovered and mitigated what CEO Eugene Kaspersky described on Forbes as a very well-planned and sophisticated attack on its networks, possibly carried out by a state-sponsored group. The threat actors behind the attack managed to gain access to data on Kaspersky’s research and development projects and new technologies but did not cause any disruption to the company’s products or services.

Enterprises should take note of the enormous skills and resources that adversaries have begun putting into tools for breaking into networks and stealing data, or for spying, corporate espionage and other malicious purposes, researchers cautioned.

“It’s safe to say that Duqu 2.0 represents both the state-of-the-art and the minimum bar for cyber operations,” Tod Beardsley, engineering manager at Rapid7, told Infosecurity Magazine. The malware is “precisely where we should expect any serious national cyber offensive capability to be.”

Lateral Movement

A technical paper released by Kaspersky Lab said the initial attack began with the targeting of one of its employees in the Asia-Pacific region. The attackers appear to have used spear phishing to gain access to the employee’s computer and infect it through what was most likely a zero-day exploit.

They then exploited another zero-day vulnerability in several versions of Microsoft Windows Server software (CVE-2014-6324) to gain domain administrator privileges and infect other systems on the company’s networks using Windows Installer (MSI) files. MSI is typically used to distribute software on remote systems but in this case was used by the attackers to move laterally across Kaspersky’s network. The Microsoft vulnerability was patched in November 2014 but was unknown at the time of this attack.

The cyberattack did not leave behind any disk files, nor did it change any system settings. Instead, the malware, which was used to steal data, resided entirely in memory, making it almost impossible to detect, Kaspersky Lab noted in its report.

“Its ‘persistence mechanism’ (or, rather, its absence) is quite brilliant,” Kaspersky added in Forbes. The tactics used in the strike suggested that some very serious thinking, effort and funds were put into developing the Duqu 2.0 campaign, he said.

The espionage tool applied in the Kaspersky attack appears to have been used to assault several other organizations as well, security vendor Symantec said in a report. Symantec’s assessment of the malware aligns with Kaspersky’s analysis that Duqu 2.0 is an evolution of the older Duqu worm, the company said.

A Duqu Variant

Duqu, which some have compared to the Stuxnet worm used in the attack on Iran’s nuclear power plant in Natanz, was first discovered in 2011. The malware was used for highly targeted intelligence-gathering purposes and contained a lot of code from the original Stuxnet malware.

Both Duqu and its latest iteration share a lot of the same code, Kaspersky and Symantec noted in their respective analysis of the malware. But the new Duqu has two variants: One of them appears to be a basic back door that is designed to give attackers an initial foothold on a victim network; the second variant contains multiple modules that allow attackers to gather system information, steal data, do network discovery, infect other computers and communicate with command-and-control servers. It is this variant that is deployed on systems deemed of interest to the attackers, Symantec said.

The emergence of tools like the new Duqu 2.0 highlight the challenges companies face in defending against modern malware. If organizations don’t have the tools or response plans in place to respond to a long-term campaign similar to Duqu 2.0, they are setting themselves up for data breaches, compromises and other dangerous situations.

More from

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

White House cements CISA’s role as national coordinator for cybersecurity

2 min read - In 2013, the Obama Administration rolled out "The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience", a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created "to strengthen and maintain secure, functioning and resilient critical infrastructure."The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President…

How a new wave of deepfake-driven cybercrime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit.Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries.Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break into customer…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today