Analysis Summary

Middle Eastern governments have been singled out in an as-yet-undisclosed campaign to introduce a new backdoor known as CR4T. The activity was found in February 2024, according to the researchers, however, there is evidence that it may have been going on for at least a year earlier. DuneQuixote is the codename for the campaign.

The report reads, “The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion methods both in network communications and in the malware code.”

The attack chain begins with a dropper, which may be found in two varieties; a standard dropper that can be used as an executable or DLL file, or it can be a corrupted installer file for Total Commander, a genuine program. The main purpose of the dropper, regardless of the mechanism employed, is to extract an embedded command-and-control (C2) address, which is then encrypted and decrypted using a unique manner to shield the server address from automated malware analysis tools.

To be more precise, it means finding the dropper's filename and joining it with one of the numerous hard-coded passages from Spanish poetry that are included in the dropper code. After that, the malware determines the concatenated string's MD5 hash, which is needed to decrypt the C2 server address. Next, the dropper connects to the C2 server and downloads a next-stage payload by sending an HTTP request with a hard-coded ID as the User-Agent string.

If the incorrect user agent is not supplied, the payload cannot be downloaded. Moreover, it seems that the payload is either limited to a single download per victim or is only accessible for a short time after a malware copy is released into the world. In contrast, the trojanized Total Commander installer keeps the majority of the features of the original dropper but has a few changes.

The Spanish poem strings are removed, and extra anti-analysis checks are added to prevent a connection to the C2 server if a debugger or monitoring tool is installed on the system, the cursor position remains unchanged for an extended period, the available RAM is less than 8 GB, or the disk capacity is less than 40 GB.

A memory-only implant based on C/C++, CR4T ("CR4T.pdb") allows attackers to operate files, upload and receive files, and access a terminal for command line execution on the compromised system by establishing a connection with the C2 server.

The same features were also found in a Golang version of CR4T that could be used to build scheduled tasks using the Go-ole library and execute arbitrary commands. Furthermore, the Golang CR4T backdoor can use the Telegram API for C2 communications and the COM objects hijacking approach to accomplish persistence. The Golang variant's existence suggests that the anonymous threat actors responsible for DuneQuixote are continuously honing their cross-platform malware tradecraft.

The 'DuneQuixote' campaign uses a fascinating range of stealth and persistence-oriented technologies to target entities in the Middle East. The attackers exhibit superior evasion skills and strategies by disguising themselves as genuine software and using memory-only implants and droppers to resemble the Total Commander installer.

Impact

• Unauthorized Access
• Data Exfiltration

Indicators of Compromise

Domain Name

SHA1

• 358f8757418c28e9e2a3c17dda180ace60aaa905
• dd1f3df3d07754843a58ce9613669fb8a57d83cb
• 32539b7ade2830b7bf404e1cb85318cd9b81fb66
• 6312568efa6cc02004acbc77bda6a2ec83e7b945
• 068e76cb548019d8c9dade1493fdf9343d86d8b9
• db7ab88046f162ad5f2ab713dfbbdb23c7c9a8d1
• a42a255e1c3d79c317180e2603eb5487c5afc303
• d6c77554b9821c6405fe386bd04a799426c8c118
• 98671bd063cef4d6f3e17c58652c4a88c57701b8
• d7cf715b9596abe119e3e6f64026ee05efcd539c
• f34b71af24fd1982d0899283c8bfb7b0f1392434
• bbea7b0b57b2eb72e0f373f914143a62851ffe65
• 74db9683f7f0ea511dc37435851b6d77cc4781e4
• e3783a51b31b891b2a9720c3cda3f8cd6e7dbe76
• 08e62722bae308b5a90e8d9281fa112c7d6b6323
   

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Download apps only from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party websites or unofficial sources.
• Review the permissions requested by apps before installing them. Be cautious of apps that request unnecessary permissions or access to sensitive data.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Keep your operating system and apps up-to-date with the latest security patches and updates
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Be cautious of unsolicited messages, emails, or links, especially from unknown or suspicious sources. Avoid clicking on suspicious links or downloading attachments from untrusted sources.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly backup your data to a secure location, such as a cloud storage service or external hard drive.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.