June 12, 2015 By Jaikumar Vijayan 3 min read

The Duqu 2.0 malware tool used in the recently disclosed attack against security vendor Kaspersky Lab shows a level of sophistication rarely seen in malicious software, security researchers said.

Duqu 2.0: State-of-the-Art Malware

On June 10, Kaspersky Lab disclosed that it had recently discovered and mitigated what CEO Eugene Kaspersky described on Forbes as a very well-planned and sophisticated attack on its networks, possibly carried out by a state-sponsored group. The threat actors behind the attack managed to gain access to data on Kaspersky’s research and development projects and new technologies but did not cause any disruption to the company’s products or services.

Enterprises should take note of the enormous skills and resources that adversaries have begun putting into tools for breaking into networks and stealing data, or for spying, corporate espionage and other malicious purposes, researchers cautioned.

“It’s safe to say that Duqu 2.0 represents both the state-of-the-art and the minimum bar for cyber operations,” Tod Beardsley, engineering manager at Rapid7, told Infosecurity Magazine. The malware is “precisely where we should expect any serious national cyber offensive capability to be.”

Lateral Movement

A technical paper released by Kaspersky Lab said the initial attack began with the targeting of one of its employees in the Asia-Pacific region. The attackers appear to have used spear phishing to gain access to the employee’s computer and infect it through what was most likely a zero-day exploit.

They then exploited another zero-day vulnerability in several versions of Microsoft Windows Server software (CVE-2014-6324) to gain domain administrator privileges and infect other systems on the company’s networks using Windows Installer (MSI) files. MSI is typically used to distribute software on remote systems but in this case was used by the attackers to move laterally across Kaspersky’s network. The Microsoft vulnerability was patched in November 2014 but was unknown at the time of this attack.

The cyberattack did not leave behind any disk files, nor did it change any system settings. Instead, the malware, which was used to steal data, resided entirely in memory, making it almost impossible to detect, Kaspersky Lab noted in its report.

“Its ‘persistence mechanism’ (or, rather, its absence) is quite brilliant,” Kaspersky added in Forbes. The tactics used in the strike suggested that some very serious thinking, effort and funds were put into developing the Duqu 2.0 campaign, he said.

The espionage tool applied in the Kaspersky attack appears to have been used to assault several other organizations as well, security vendor Symantec said in a report. Symantec’s assessment of the malware aligns with Kaspersky’s analysis that Duqu 2.0 is an evolution of the older Duqu worm, the company said.

A Duqu Variant

Duqu, which some have compared to the Stuxnet worm used in the attack on Iran’s nuclear power plant in Natanz, was first discovered in 2011. The malware was used for highly targeted intelligence-gathering purposes and contained a lot of code from the original Stuxnet malware.

Both Duqu and its latest iteration share a lot of the same code, Kaspersky and Symantec noted in their respective analysis of the malware. But the new Duqu has two variants: One of them appears to be a basic back door that is designed to give attackers an initial foothold on a victim network; the second variant contains multiple modules that allow attackers to gather system information, steal data, do network discovery, infect other computers and communicate with command-and-control servers. It is this variant that is deployed on systems deemed of interest to the attackers, Symantec said.

The emergence of tools like the new Duqu 2.0 highlight the challenges companies face in defending against modern malware. If organizations don’t have the tools or response plans in place to respond to a long-term campaign similar to Duqu 2.0, they are setting themselves up for data breaches, compromises and other dangerous situations.

More from

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today