April 19, 2024 at 02:45AM
Government entities in the Middle East are targets of cyber espionage through a new backdoor named CR4T. Russian cybersecurity firm Kaspersky discovered the activity in February 2024 and uncovered a previously undocumented campaign codenamed DuneQuixote. The attackers exhibit advanced evasion capabilities and techniques through various methods to establish persistence. (Words: 50)
Key Takeaways from the Meeting Notes:
1. Cyber Espionage and Threat Intelligence:
– A new backdoor named CR4T has been discovered targeting government entities in the Middle East as part of the DuneQuixote campaign.
– The campaign was identified by Kaspersky in February 2024, with indications that it may have been active for at least a year prior.
2. Implementation of Evasion Methods:
– The threat actors behind the campaign have employed practical and well-designed evasion methods in both network communications and malware code to prevent collection and analysis of their implants.
3. Attack Method:
– The attack starts with a dropper, which extracts an embedded command-and-control (C2) address using a novel technique involving a combination of the dropper’s filename and snippets from Spanish poems present in the code.
4. Payload Download and Installation:
– The dropper establishes connections with the C2 server and downloads a next-stage payload after providing a hard-coded user-agent string in the HTTP request.
5. Trojanized Total Commander Installer:
– A trojanized version of the legitimate tool Total Commander is being used, featuring anti-analysis checks and additional functionalities to prevent connection to the C2 server under specific system conditions.
6. CR4T Backdoor:
– CR4T is a C/C++-based memory-only implant that grants attackers access to the infected machine, allowing command line execution, file operations, and communication with the C2 server.
– There is also a Golang version of CR4T with identical features, employing additional capabilities such as executing arbitrary commands, creating scheduled tasks, and utilizing the Telegram API for C2 communications.
7. Refining Tradecraft:
– The presence of the Golang variant suggests that the unidentified threat actors behind DuneQuixote are actively refining their tradecraft with cross-platform malware.
These takeaways provide valuable insight into the DuneQuixote campaign and the techniques and tools utilized by the threat actors, affirming the need for heightened vigilance and advanced security measures within affected regions.