The Russian security firm Kaspersky Lab recently discovered that a powerful and mysterious group of hackers using an advanced persistent threat (APT) known as Duqu has breached its systems by using a zero-day Windows Kernel.
From 2012 to date, no other cyber-related activity associated with Duqu is a platform used for cyber-espionage.
However, the infections were made by a new version of the platform (called Duqu 2). The new malicious software appeared in 2014 and continues to exist in Western countries to date.
The zero-day vulnerability that exploits malware is CVE-2015-2360, which was patched by Microsoft on Tuesday. Kaspersky reports that one or two other vulnerabilities have been used in the attack on its systems.
Researchers report that the initial attack began in one of Asia's smallest offices and spear-phishing emails were probably used.
"Malicious modules were observed trying to perform 'pass the hash' attacks on the local network, essentially giving attackers many different ways to perform lateral movement," Kaspersky Lab reports.
Over 100 malicious variants detected plugins
Duqu 2 uses multiple tactics to spread across the network, and in most cases, the attack was carried out with Microsoft Windows Installer support (MSI packages that can be remotely enabled on other computers).
MSI files could memorize the payload of malicious software and open backdoors for the attackers' spy targets.
The main module of Duqu 2 implements controls to communicate with the command and control center or C&C server and uses too many proxy connection protocols and self-signed HTTPS certificates.
The purpose of the attack on Kaspersky Lab's network appears to be the espionage of the technology used and that developed by the company. However, research is being carried out by security experts and later on we will know more details.
Analysis of the malware showed that it could collect data from running processes, on surface work and terminal sessions. It still searched for, recorded, and ran files such as “*.inuse, *.hml,” filename contains “data.hmi” or “val.dat,” as well as the contents of specific folders.
Kaspersky Lab believes that the specific infringement there is no impact on its products, technologies and services, and that its customers and partners are safe…
