Duqu 2.0 Advanced Persistent Threat (APT) Infos

[deanwebb]

https://threatpost.com/duqu-resurfaces-with-new-round-of-victims-including-kaspersky-lab/113237

https://threatpost.com/duqu-2-0-attackers-used-stolen-foxconn-certificate-to-sign-driver/113315

Some key infos:
1. Duqu 2.0 hangs out in memory and is capable of being persistent even without normal persistence mechanisms (IE, file on the hard drive)
2. Code most likely originates from a nation state. Although the articles above won't name names, other sources indicate the nation state in question may be one where Hebrew is an official language.
3. It uses breaches in Microsoft Windows to elevate privileges. The patch for the first breach was issued in November 2014. The most recent breach was patched in early June 2015. Be sure your boxes are patched up!
4. Because the code resides in memory and lacks a typical malware persistence feature, it's very hard to detect.
5. Persistence after reboot is maintained by a few devices that will provide communication tunnels for attackers. Attackers can use credentials picked up in #3 to redeploy Duqu as needed.
6. Duqu uses a stolen cert from Apple manufacturing partner Foxconn to sign its drivers. The Duqu team is using multiple Foxconn certs to sign different drivers, just in case one cert gets ganked.

Kaspersky says:

"Finally, it's interesting that the Duqu attackers are also careful enough not to use same digital certificate twice. This is something we have seen with Duqu from both 2011 and 2015. If that's true, then it means that the attackers might have enough alternative stolen digital certificates from other manufacturers that are ready to be used during the next targeted attack. This would be extremely alarming because it effectively undermines trust in digital certificates."

Yes, it is extremely alarming.