New Version of Duqu Malware Hits Security Giant Kaspersky Lab
In the early spring of 2015, security firm Kaspersky Lab detected a cyber-intrusion of its own internal systems while testing a prototype of an anti-APT (advanced persistent threat) solutions. After the attack was detected Kaspersky launched a massive investigation, which led to the discovery of a new version of malware platform from one of the most skilled and powerful threat actors in the APT world - the Duqu malware platform.
Duqu is a variety of software components that together provide services to the attackers, which includes information stealing capabilities and injection tools. Analysts believe that Duqu is written in unknown high level programming language, known as “Duqu framework”. Experts believe that Duqu is closely related to another highly sophisticated malware Stuxnet. And like Stuxnet, Duqu also targets Microsoft Windows OS using zero-day vulnerabilities.
Duqu 2.0, the malware associated with the Kaspersky attacks, was a fully upgraded version of the original Duqu malware, which was discovered in 2011. The new version included some unique and earlier unseen features. The new version used an advanced method to hide its presence in the system. It ran entirely in computer memory and didn't leave behind any disk files or change system settings, making detection extremely difficult. It spread in the network through Microsoft Software Installer or MSI files which are commonly used to deploy software on remote Windows computers. The new malware has exploited up to three zero-day vulnerabilities, a highly impressive feature that strongly suggests that this is a nation-sponsored campaign.
Kaspersky confirmed that the highly sophisticated malware has successfully penetrated its internal systems by taking advantage of a zero-day in the Windows Kernel. An initial security audit and technical analysis launched by Kaspersky, revealed that the main goal of the attackers was to spy and acquire the company's newest technologies and internal processes. Kaspersky said, the level of sophistication of attack may even surpasses the Equation Group, a highly advanced secretive computer espionage group suspected of being tied to the United States National Security Agency. But Kaspersky has not detected any interference with its own internal processes or systems, which means that the company's product and services are completely safe.
In addition, the attack has also been recognized by rival security firm Symantec, which says that it has discovered Duqu 2.0 infections in the US, UK, Sweden, India and Hongkong. Symantec also found evidence that the new malware has been used in a number of different attack campaigns against a limited number of selected targets including a North African telecoms company, a European telecoms company and a South East Asian electronic equipment maker.
The Moscow-based Kaspersky has a fearsome reputation for being one of the most capable detection and defense companies in the world. It has been named a leader in the Gartner Magic Quadrant for Endpoint Protection Platforms.
Image Courtesy of: Demanjo