The new version of the malware Duqu is used for cyber espionage
Yesterday, our analysts added new entries to the database as part of update 11766 : Win64 / Duqu.AA , Win64 / Duqu.AB , Win32 / Duqu.D , Win32 / Duqu.E. The entries refer to the 64- and 32-bit versions of the new version of the well-known malicious state-sponsored-software files called Duqu (aka Duqu.B ). This version, like the previous one , was used in cyber espionage operations (so-called intelligence-gathering attacks ) against various telecommunications companies, as well as security companies ( Kaspersky ). With the help of her attackers tried to extract various confidential data from the computers of corporate victims.
According to Symantec, Duqu.B was used for cyber attacks on telecommunications companies in Europe, as well as North Africa. In addition, users of the USA, Great Britain, Sweden, India, and Hong Kong could become victims.
')
The Crysys Research Center (The Laboratory of Cryptography and System Security) published a detailed comparative report of both Duqu versions, from which it can be seen that there is much in common between them.
The 64-bit executable files of this malware can be found on the VirusTotal service.
SHA256: 8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192
www.virustotal.com/en/file/8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192/analysis
SHA256: 6de1bb58ae3c37876c6372208366f5548fcc647ffd19ad1d31cebd9069b8a559
www.virustotal.com/en/file/6de1bb58ae3c37876c6372208366f5548fcc647ffd19ad1d31cebd9069b8a559/analysis
SHA256: 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69
www.virustotal.com/en/file/2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69/analysis
SHA256: 9900c91f6d754f15f73729ce5a4333a718463e24aa7e6192c7527ec5c80dac42
www.virustotal.com/en/file/9900c91f6d754f15f73729ce5a4333a718463e24aa7e6192c7527ec5c80dac42/analysis
According to Symantec, Duqu.B was used for cyber attacks on telecommunications companies in Europe, as well as North Africa. In addition, users of the USA, Great Britain, Sweden, India, and Hong Kong could become victims.
')
The Crysys Research Center (The Laboratory of Cryptography and System Security) published a detailed comparative report of both Duqu versions, from which it can be seen that there is much in common between them.
- Similar functions to decrypt strings that contain the names of anti-virus products.
- Similar characteristics related to file encryption using the AES algorithm.
- Both versions use non-standard CBC-mode of operation of the AES encryption algorithm.
- In both versions, an almost identical module is used, which is responsible for logging the actions of the malicious program.
- A similar malware coding style using C ++ and a similar compilation style.
The 64-bit executable files of this malware can be found on the VirusTotal service.
SHA256: 8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192
www.virustotal.com/en/file/8e97c371633d285cd8fc842f4582705052a9409149ee67d97de545030787a192/analysis
SHA256: 6de1bb58ae3c37876c6372208366f5548fcc647ffd19ad1d31cebd9069b8a559
www.virustotal.com/en/file/6de1bb58ae3c37876c6372208366f5548fcc647ffd19ad1d31cebd9069b8a559/analysis
SHA256: 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69
www.virustotal.com/en/file/2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69/analysis
SHA256: 9900c91f6d754f15f73729ce5a4333a718463e24aa7e6192c7527ec5c80dac42
www.virustotal.com/en/file/9900c91f6d754f15f73729ce5a4333a718463e24aa7e6192c7527ec5c80dac42/analysis
Source: https://habr.com/ru/post/260121/
All Articles