The sophistication and technical prowess behind Duqu 2.0 is truly remarkable. But despite the millions of dollars necessary to execute the campaign, it still relied on attacking a piece of infrastructure inside almost every corporation: the Active Directory.
This is what you won’t hear.
This is what attackers want to keep quiet.
If their secret gets out—that the Active Directory is the key asset for a successful campaign—their job gets much harder, and their ROI suffers as a result. (Remember, hacking is a business.)
The attack starts with establishing a foothold on a machine. (The jury is still out on this, but the most likely culprit is through spear phishing emails.) Once the machine is compromised, the attacker uses the zero-day CVE-2015-2360 to elevate to the highest local privileges. With these system level privileges, he can now make changes on the computer.
Next, he takes a page from the playbook of the Hollywood heist movies and uses the payloads L, G, and I to disable all the security systems: Kaspersky, McAfee, Symantec, Bitdefender, ESET, etc. Then, he uses payloads Q and K to download the malicious module into memory and establish a backdoor C&C server.
The next step is to gather information about the environment via Active Directory (AD) reconnaissance. Why AD reconnaissance? Because attackers know all of the corporation’s information is stored there. With a simple query of the Active Directory, the attacker identifies valuable resources to execute his campaign.
Once he’s identified his targets, he moves laterally and begins to infect other endpoints inside the Domain. The Duqu algorithm has the ability to deploy multiple methodologies autonomously. One example is pass-the-hash: a hash is stolen and used repeatedly to authenticate other endpoints. Another example is to exploit MS14-068 to obtain Domain administrator privileges via a forged signature in a ticket, and then use these privileges to infect other endpoints.
Now for all the defenders reading this, you might be thinking: “ok, well that’s why I have next-generation endpoint protection tools, to stop malware like this from getting onto my computers”. Great thought. But Duqu survives exclusively in the memory, so that means these technologies won’t be able to detect it.
You might come back and say, “fine, but I can restart the computers and wipe the memory.” Nice try, but Duqu has an answer for that, too. It uses high uptime servers to reinfect computers in the Domain that get disinfected by reboots. As soon as a computer is powered back on, Duqu can immediately reinject the malware into memory.
Why do the attackers choose not to have a persistence mechanism? It’s because they want to evade detection at all costs. Surviving in memory allows them to bypass the AV and other endpoint detection technologies. (Remember, stealth is a top priority for attackers.)
Ok, back to the main story.
The high uptime server spreads the infection, and then monitors and controls the other infected endpoints inside the corporate Domain.
There are two infection strategies:
- Executing MSIEXEC package on the target host remotely
- Using stolen tokens to copy malicious DLL and running it as a service
After infecting the endpoint, the final step is to exfiltrate data. This is a hallmark Duqu 2.0 feature—it conceals the data inside JPEG and GIF images.
Traffic from the infected endpoints is funneled to the high uptime server through SMB Pipes. This way, there is only one communication channel between the attacker’s C&C and the victim’s network. The attacker transmits the concealed data, which is inside JPEG and GIF files, from the high uptime server via HTTP, reducing the likelihood of detection.
Duqu 2.0 Is Not Alone
If we look back at the way in which Duqu 2.0 moved throughout its victim’s environment, we’ll notice three things:
- Domain credential theft
- Active Directory reconnaissance
- Lateral movement
This is the same process that Samas RansomWorm used to infect its victims’ networks. Does this diagram look familiar?
Both of these APTs share a common thread. The outcomes are different, but they use the same methodology once inside to execute the attack.
In fact, all APTs share this methodology—steal domain credentials, discover targets via Active Directory reconnaissance, and move laterally—because the attackers know that the Active Directory is vulnerable and easy to manipulate. It’s also an asset that companies are not protecting. Companies aren’t even aware they should be protecting it.
CISOs and IT personnel must look past the traditional, one-sided view of the Active Directory as a resource management tool.
They must recognize that it’s a security vulnerability.
Javelin vs. Duqu 2.0
The video below demonstrates how Duqu operates its campaign. But what would happen if Javelin is put against it? Who will win in the crucial fight for information, reconnaissance, and lateral movement?
If you would like more information about AD|Protect, please get in touch: firstname.lastname@example.org