The Duqu 2.0 malware tool used in the recently disclosed attack against security vendor Kaspersky Lab shows a level of sophistication rarely seen in malicious software, security researchers said.

Duqu 2.0: State-of-the-Art Malware

On June 10, Kaspersky Lab disclosed that it had recently discovered and mitigated what CEO Eugene Kaspersky described on Forbes as a very well-planned and sophisticated attack on its networks, possibly carried out by a state-sponsored group. The threat actors behind the attack managed to gain access to data on Kaspersky’s research and development projects and new technologies but did not cause any disruption to the company’s products or services.

Enterprises should take note of the enormous skills and resources that adversaries have begun putting into tools for breaking into networks and stealing data, or for spying, corporate espionage and other malicious purposes, researchers cautioned.

“It’s safe to say that Duqu 2.0 represents both the state-of-the-art and the minimum bar for cyber operations,” Tod Beardsley, engineering manager at Rapid7, told Infosecurity Magazine. The malware is “precisely where we should expect any serious national cyber offensive capability to be.”

Lateral Movement

A technical paper released by Kaspersky Lab said the initial attack began with the targeting of one of its employees in the Asia-Pacific region. The attackers appear to have used spear phishing to gain access to the employee’s computer and infect it through what was most likely a zero-day exploit.

They then exploited another zero-day vulnerability in several versions of Microsoft Windows Server software (CVE-2014-6324) to gain domain administrator privileges and infect other systems on the company’s networks using Windows Installer (MSI) files. MSI is typically used to distribute software on remote systems but in this case was used by the attackers to move laterally across Kaspersky’s network. The Microsoft vulnerability was patched in November 2014 but was unknown at the time of this attack.

The cyberattack did not leave behind any disk files, nor did it change any system settings. Instead, the malware, which was used to steal data, resided entirely in memory, making it almost impossible to detect, Kaspersky Lab noted in its report.

“Its ‘persistence mechanism’ (or, rather, its absence) is quite brilliant,” Kaspersky added in Forbes. The tactics used in the strike suggested that some very serious thinking, effort and funds were put into developing the Duqu 2.0 campaign, he said.

The espionage tool applied in the Kaspersky attack appears to have been used to assault several other organizations as well, security vendor Symantec said in a report. Symantec’s assessment of the malware aligns with Kaspersky’s analysis that Duqu 2.0 is an evolution of the older Duqu worm, the company said.

A Duqu Variant

Duqu, which some have compared to the Stuxnet worm used in the attack on Iran’s nuclear power plant in Natanz, was first discovered in 2011. The malware was used for highly targeted intelligence-gathering purposes and contained a lot of code from the original Stuxnet malware.

Both Duqu and its latest iteration share a lot of the same code, Kaspersky and Symantec noted in their respective analysis of the malware. But the new Duqu has two variants: One of them appears to be a basic back door that is designed to give attackers an initial foothold on a victim network; the second variant contains multiple modules that allow attackers to gather system information, steal data, do network discovery, infect other computers and communicate with command-and-control servers. It is this variant that is deployed on systems deemed of interest to the attackers, Symantec said.

The emergence of tools like the new Duqu 2.0 highlight the challenges companies face in defending against modern malware. If organizations don’t have the tools or response plans in place to respond to a long-term campaign similar to Duqu 2.0, they are setting themselves up for data breaches, compromises and other dangerous situations.

More from

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read