OnionDuke

By CagedTech in Trojans

Threat Scorecard

Threat Level: 60 % (Medium)
Infected Computers: 9
First Seen: November 14, 2014
Last Seen: October 23, 2020
OS(es) Affected: Windows

OnionDuke is a threat infection that may carry its attacks using the Tor network, a network that uses techniques that allow computer users to hide their addresses and locations very effectively. A Tor exit node in Russia was identified as responsible for distributing threatening Windows executable files. PC security researchers, having investigated this Tor network node identified a threat family that was originated in Russia and known as MiniDuke. This threatening family has been involved in attacks targeting NATO and European government targets! In this particular case the threat used is not precisely a MiniDuke variant. Rather, it is a separate family of threatening software that has started to become known as OnionDuke. This name originates from OnionDuke's relationship to the Tor network (which uses .onion addresses) and its relationship to the MiniDuke family of threats.

Infection Methods Used by OnionDuke

Whenever computer users try to download an executable file using the threatening Tor exit node, instead of receiving their intended file, they may also receive an additional 'gift'. The executable file may be wrapped in a second, threatening executable, which may be embedded into the original executable file. Since this is a wrapper that is added to the original file, this may allow the threatening file to bypass certain security checks. Once the file is executed, the wrapper may execute the second file, working in the background and making it seem as if everything is normal. In fact, PC security analysts have noted that OnionDuke may work in the background to carry out its threat attack. PC security analysts have noted that OnionDuke is a Trojan dropper that is disguised as an embedded GIF image file. In fact, it is an encrypted DLL file that may carry out threatening attacks on infected computers.

How OnionDuke Carries out Its Attack

When the OnionDuke DLL file is executed, OnionDuke may try to contact a remote server to receive its configuration data. This data may include instructions to download and install other threats on the computer. PC security researchers have noted that the domains that OnionDuke contacts are not threatening Web servers but, instead, genuine websites that have been corrupted by third parties so that they may form part of this attack without their owners' knowledge. PC security analysts have been able to identify certain other components of the OnionDuke attack. For example, malware analysts have noted that OnionDuke may collect information such as online passwords or credit card numbers from the infected computer. OnionDuke also may have components that are designed to gather information about the infected computer's security software, firewall or other protections. In some cases, these components may be downloaded and installed by the original OnionDuke infection, although others may have their own command and control server.

Investigating the Sources of OnionDuke Attacks

One component involving OnionDuke has caught the attention of PC security analysts. Among its data, malware researchers have noted that OnionDuke may use Twitter to receive commands from a remote location. One additional feature that also has caught the attention of PC security researchers is that the domains associated with OnionDuke were registered in 2011 by a 'John Kasai', who has also registered numerous domains that have been associated with MiniDuke. This indicates that, although separate, the people responsible for OnionDuke may also be responsible for the devastating MiniDuke attacks and the connection between both threat families goes quite deeper.

Research on dates and code involved with OnionDuke has revealed that OnionDuke has been active since at least October of 2013 and, since February of 2014 infecting executable files contained in .torrent files used to distribute pirated software. Some of the configuration data suggests that OnionDuke has been around quite a bit longer, with several separate versions existing from earlier dates.

SpyHunter Detects & Remove OnionDuke

File System Details

OnionDuke may create the following file(s):
# File Name MD5 Detections
1. UserCache.dll c8eb6040fd02d77660d19057a38ff769 0
2. file.exe 5473e29ca75d475f545fa7d9f85e564f 0

Registry Details

OnionDuke may create the following registry entry or registry entries:
Regexp file mask
%LOCALAPPDATA%\Startup\kb[NUMBERS].lnk

Trending

Most Viewed

Loading...