Duqu may be the most sophisticated malware threat ever developed. Duqu is a notorious malware threat that was used between 2006 and 2012, which disappeared in 2012. However, it seems that a threat dubbed Duqu 2.0 was used in high-profile attacks against many targets around the world recently, including some of the most important computer security firms. Duqu, in its current form, gained notoriety because it targeted several zero-day vulnerabilities, which include CVE-2015-2360, CVE-2014-4148 and CVE-2014-6324. Some of Duqu's intended attacks seemed to be in some way linked to the highly publicized nuclear deal with Iran, as well as organizations operating in the Middle East. It is not easy to establish who is responsible for recent versions of the Duqu attack. It is very likely that it is a state-sponsored actor, with some strings pointing to Chinese hackers (although it is possible that these may be part of a false flag attack).
Table of Contents
Duqu Has Been Updated Since its First Attack
The most recent Duqu attack seems to be derived from the older version of the Duqu worm directly. In its original form, Duqu was used to target industrial systems and was exposed in 2011. Duqu and similar threats such as Stuxnet were instrumental in sabotaging the nuclear development program in Iran around those dates. Infections between 2014 and 2015 seemed to be deployed in connection to the negotiations with Iran regarding its nuclear weapons research. PC security researchers were alarmed when Duqu was used in an attempt to infiltrate the internal network of antivirus companies and PC security firms particularly. These may have started as phishing attacks, although it is still not known what the origin of these attacks may be exactly. One of the motives why it is believed that the initial infection began with a phishing attack is that one suspect for being the initial victim had the contents of his device wiped completely, a tactic often used by malware to hide its activities.
How the Duqu Attack Works on a Targeted Device
Duqu has been linked to a zero-day vulnerability that is powerful and uses an extremely rare technique, which allows the attacker to go into Kernel mode from a Microsoft Word document. This was a technique that was observed in attacks in 2014, which may point to parallel projects or preliminary development. Once access was established with the infected computer or network, the exploit CVE-2014-6324 was used to move throughout the network laterally, allowing external users to gain an administrator account. These privileges can then be used to infect computers throughout the targeted network. These techniques for lateral movement throughout a network were observed in the 2011 version of Duqu infections.
Duqu 2.0 may Be One of the Most Sophisticated Threats Observed to Date
Duqu is capable of using very sophisticated methods to evade detection and removal, residing in memory and not writing files onto the infected device's disk. It also seems that Duqu has different variants, which implement new features throughout the attack. Duqu 2.0 may be using a misappropriated certificate from Foxconn that allows Duqu to maintain its persistence on a device and avoid detection. Duqu also was able to hide its communications with its Command and Control server effectively, using sophisticated techniques to manipulate traffic. The use of misappropriated certificates associated with Duqu and the fact that these certificates have not been linked to other malware threats speaks to the sophistication of the group carrying out this attack since it implies that they managed to hack the owners of these certificates to obtain them for their own use. There are, however, some similarities between Duqu and older version of this threat, including strings in common, nonstandard architecture and the coding style.