Government agencies in the Middle East are being targeted as part of a previously undocumented campaign to distribute a new backdoor called CR4T.
Russian cybersecurity firm Kaspersky discovered the activity in February 2024 and said there is evidence to suggest it may have been active for at least a year.This campaign has been codenamed dune quixote.
“The group behind this campaign has taken steps to prevent the collection and analysis of its implants, implementing practical and well-designed evasion methods in both network communications and malware code,” Kaspersky said. Ta.
The starting point of the attack is the dropper, which comes in two variants. It is a regular dropper implemented as an executable or his DLL file and a modified installer file of a legitimate tool named Total Commander.
Regardless of the method used, the dropper's main function is to extract embedded command and control (C2) addresses that are decrypted using new techniques that prevent server addresses from being exposed to automated malware analysis tools. It is to do.
Specifically, it takes the dropper's filename and combines it with one of the many hardcoded snippets from the Spanish poem that are present within the dropper code. The malware then calculates her MD5 hash of the combined strings. This acts as a key to decode the C2 server address.
The dropper then establishes a connection with the C2 server and downloads the next stage payload after providing a hardcoded ID as a user agent string in the HTTP request.
“The payload cannot be accessed and downloaded unless the correct user agent is provided,” Kaspersky said. “Furthermore, it appears that the payload can only be downloaded once per victim, or only available for a short period of time after his sample of the malware is released into the public domain.”
On the other hand, the trojanized Total Commander installer retains the main functionality of the original dropper, but has some differences.
Removes Spanish poetry strings and implements additional anti-analysis checks that prevent connections to the C2 server if a debugger or monitoring tool is installed on the system. The cursor position does not change even after a certain amount of time has elapsed. Available RAM is less than 8 GB and disk space is less than 40 GB.
CR4T (“CR4T.pdb”) is a C/C++-based memory-only implant that grants an attacker console access to execute command lines on an infected machine, perform file operations, Upload and download files after connecting to the C2 server.
In addition to the ability to run arbitrary commands and create scheduled tasks using the Go-ole library, Kaspersky said it also discovered a Golang version of CR4T with identical functionality.
Additionally, the Golang CR4T backdoor utilizes COM object hijacking techniques to achieve persistence and has the ability to leverage the Telegram API for C2 communications.
The presence of Golang variants indicates that the unknown attackers behind DuneQuixote are actively refining their cross-platform malware techniques.
“The 'DuneQuixote' campaign targets businesses in the Middle East with a set of interesting tools designed for stealth and persistence,” Kaspersky said.
“Through the deployment of memory-only implants and droppers disguised as legitimate software that mimic the Total Commander installer, attackers have demonstrated above-average evasion abilities and techniques.”
