CR4T Malware

Government institutions across the Middle East have become targets of a stealthy attack operation aimed at infiltrating their systems with a previously unknown backdoor known as CR4T. Cybersecurity experts first noticed this activity in February 2024, but evidence suggests that it could have commenced as early as a year before. The operation is being tracked as DuneQuixote. The perpetrators have gone to great lengths to prevent the detection and examination of their malicious implants, employing sophisticated evasion techniques in both their network communications and the design of the malware itself.

The Initial Stage of the DuneQuixote Attack Chain

The attack begins with a dropper, available in two variations: a standard dropper, either in executable or DLL form, and a manipulated installer file for the legitimate tool, Total Commander. Regardless of the variant, the primary objective of the dropper remains consistent: to extract an encrypted Command-and-Control (C2) address, utilizing an innovative decryption technique to safeguard the server address from automated malware analysis tools.

This method involves acquiring the filename of the dropper and concatenating it with one of several pre-defined excerpts from Spanish poems embedded within the dropper's code. Subsequently, the malware computes the MD5 hash of the combined string, which serves as the decryption key for the C2 server address.

Once decrypted, the dropper establishes connections with the C2 server, proceeding to download a subsequent payload while furnishing a hard-coded ID as the User-Agent string in the HTTP request. 

Access to the payload is restricted unless the correct user agent is furnished. Moreover, it appears that the payload may only be retrievable once per target or for a limited time following the deployment of a malware sample in the wild.

In contrast, the trojanized Total Commander installer exhibits several variances while maintaining the core functionality of the original dropper. It eliminates the Spanish poem strings and introduces additional anti-analysis measures. These checks prevent a connection to the C2 server if the system detects a debugger or monitoring tool, if the cursor remains stationary beyond a specified duration, if the available RAM is less than 8 GB, or if the disk capacity falls below 40 GB.

The CR4T Malware Allows Attackers to Execute Commands on the Infected Systems

CR4T ('CR4T.pdb') is a memory-only implant written in C/C++. It provides attackers with access to a command-line console for executing commands on the compromised system, performing file operations, and transferring files to and from the C2 server. Additionally, researchers have uncovered a Golang version of CR4T with similar functionalities, including the execution of arbitrary commands and the creation of scheduled tasks using the Go-ole library.

Moreover, the Golang CR4T backdoor implements persistence through COM object hijacking and utilizes the Telegram API for C2 communications. The emergence of the Golang variant indicates that the unidentified threat actors behind the DuneQuixote campaign are actively refining their tactics with cross-platform malware.

The 'DuneQuixote' initiative focuses on entities in the Middle East, employing a diverse range of tools aimed at stealth and persistence. The attackers showcase advanced evasion capabilities and techniques by deploying memory-only implants and droppers disguised as legitimate software, such as mimicking the Total Commander installer.