The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns [ED: duqu continued; they never left! ]

[coderman]

https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

The
duqu 2.0
Technical Details
Version: 2.0 (9 June 2015)

www.kaspersky.com

2

The Duqu 2.0
Technical Details

Contents
Executive summary

3

initial attack

4

Lateral movement

4

Analysis of a Duqu 2.0 MSI package

7

File properties 7
First Layer: ActionDLL (msi.dll) 10
Second Layer: ActionData0 10
Third Layer: klif.dll 11
Attacking AVP.EXE 12
CTwoPENC.dll zero-day and KMART.dll 14

Payload Containers and Migration

15

Payload type “L” 15
Payload run type “G” 16
Payload run type “I” 16
Payload run type “K” 17
Payload run type “Q” 17

Platform plugginable modules

17

Persistence mechanism

33

Command and control mechanisms

33

The “portserv.sys” driver analysis 35

Similarities between Duqu and Duqu 2.0

37

Victims of Duqu 2.0

42

Attribution

43

Conclusions

44

References

45

For any inquiries, please contact intelrepo...@kaspersky.com

3

The Duqu 2.0
Technical Details

Executive summary
Earlier this year, during a security sweep, Kaspersky Lab detected a cyber 
intrusion
affecting several of its internal systems.
Following this finding, we launched a large-scale investigation, which led to 
the
discovery of a new malware platform from one of the most skilled, mysterious and
powerful groups in the APT world – Duqu. The Duqu threat actor went dark in 
2012 and
was believed to have stopped working on this project - until now. Our technical 
analysis
indicates the new round of attacks include an updated version of the infamous 
12011
Duqu malware, sometimes referred to as the step-brother of 2Stuxnet. We named 
this
new malware and its associated platform “Duqu 2.0”.
Victims of Duqu 2.0 have been found in several places, including western 
countries, the
Middle East and Asia. The actor appears to compromise both final and 
utilitarian targets,
which allow them to improve their cyber capabilities.
Most notably, some of the new 2014-2015 infections are linked to the P5+1 
events and
venues related to the negotiations with Iran about a nuclear deal. The threat 
actor behind
Duqu appears to have launched attacks at the venues for some of these high 
level talks.
In addition to the P5+1 events, the Duqu 2.0 group has launched a similar 
attack in
relation to the 370th anniversary event of the liberation of Auschwitz-Birkenau.
In the case of Kaspersky Lab, the attack took advantage of a zero-day 
(CVE-2015-2360)
in the WindowsKernel, patched by Microsoft on June 9 2015 and possibly up to two
other, currently patched vulnerabilities, which were zeroday at that time.

1       

https://en.wikipedia.org/wiki/Duqu

2       

http://www.kaspersky.com/about/news/virus/2011/Duqu_The_Step_Brother_of_Stuxnet

3       

http://70.auschwitz.org/index.php?lang=en

For any inquiries, please contact intelrepo...@kaspersky.com

4

The Duqu 2.0
Technical Details

initial attack
The initial attack against Kaspersky Lab began with the targeting of an 
employee in
one of our smaller APAC offices. The original infection vector for Duqu 2.0 is 
currently
unknown, although we suspect spear-phishing e-mails played an important role. 
This is
because for one of the patients zero we identified had their mailbox and web 
browser
history wiped to hide traces of the attack. Since the respective machines were 
fully
patched, we believe a zero-day exploit was used.
In 2011, we were able to identify Duqu attacks that used Word Documents 
containing an
exploit for a zero-day vulnerability (CVE-2011-3402) that relied on a malicious 
embedded
TTF (True Type Font File). This exploit allowed the attackers to jump directly 
into Kernel
mode from a Word Document, a very powerful, extremely rare, technique. A similar
technique and zero-day exploit ( 4CVE-2014-4148) appeared again in June 2014, 
as part
of an attack against a prominent international organization. The C&C server 
used in this
2014 attack as well as other factors have certain similarities with Duqu, 
however, the
malware is different from both Duqu and Duqu 2.0. It is possible that this is a 
parallel
project from the Duqu group and the same zero-day (CVE-2014-4148) might have 
been
used to install Duqu 2.0.
Once the attackers successfully infected one machine, they moved on to the next 
stage.

Lateral movement
In general, once the attackers gain access into a network, two phases follow:
•       
•       

Reconnaissance and identification of network topology
Lateral movement

In the case of Duqu 2.0, the lateral movement technique appears to have taken
advantage of another zero-day, (CVE-2014-6324) which was patched in November 
2014
with 5MS14-068 . This exploit allows an unprivileged domain user to elevate 
credentials
to a domain administrator account. Although we couldn’t retrieve a copy of this 
exploit,
the logged events match the Microsoft detection guidance for this attack. 
Malicious
modules were also observed performing a “pass the hash” attack inside the local
network, effectively giving the attackers many different ways to do lateral 
movement.
Once the attackers gained domain administrator privileges, they can use these
permissions to infect other computers in the domain.
To infect other computers in the domain, the attackers use few different 
strategies. In
most of the attacks we monitored, they prepare Microsoft Windows Installer 
Packages
(MSI) and then deploy them remotely to other machines. To launch them, the 
attackers
create a service on the target machine with the following command line:
msiexec.exe /i “C:\\[…]\tmp8585e3d6.tmp” /q PROP=9c3c7076-d79f-4c
4       

https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html

5       

https://technet.microsoft.com/library/security/MS14-068

For any inquiries, please contact intelrepo...@kaspersky.com

5

The Duqu 2.0
Technical Details

The PROP value above is set to a random 56-bit encryption key that is required 
to
decrypt the main payload from the package. Other known names for this parameter
observed in the attacks are “HASHVA” and “CKEY”. The folder where the package is
deployed can be different from case to case, depending on what the attackers can
access on the remote machine.
In addition to creating services to infect other computers in the LAN, 
attackers can also
use the Task Scheduler to start “msiexec.exe” remotely. The usage of Task 
Scheduler
during Duqu infections for lateral movement was also observed with the 2011 
version
and was described by 6Symantec in their technical analysis.

“msiexec.exe” - Task Scheduler trace in the logs

The MSI files used in the attacks contain a malicious stub inside which serves 
as a loader.
The stub loads the other malware resources right from the MSI file and decrypts 
them,
before passing execution to the decrypted code in memory.

Malicious stub with query to load the other resources from the MSI file 
highlighted.

The encryption algorithms used for these packages differ from case to case. It’s
important to point out that the attackers were careful enough to implement 
unique
methods, encryption algorithms and names (such as file names) for each attack, 
as a
method to escape detection from security products and limit the ability of an 
antivirus
company to find other infections once one of them has been identified.
So far, we’ve seen the following encryption algorithms used by the attackers:
•       
•       
6       

Camellia
AES
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_
the_next_stuxnet.pdf

For any inquiries, please contact intelrepo...@kaspersky.com

6

The Duqu 2.0
Technical Details

•       
•       
•       

XTEA
RC4
Different multibyte XOR-based encryption

For compression algorithms, we’ve seen the following:
•       
•       
•       
•       

LZJB
LZF
FastLZ
LZO

In essence, each compiled attack platform uses a unique combination of 
algorithms that
make it very difficult to detect.
The attackers can deploy two types of packages to their victims:
•       
•       

“Basic”, in-memory remote backdoor (~500K)
Fully featured, C&C-capable, in-memory espionage platform (18MB)

These have similar structures and look like the following:

Malicious Duqu 2.0 MSI package.

In the screenshot above, one can see the loader (ActionDll: 17,920 bytes) and 
the main
payload (ActionData0: 476,736 bytes). Upon execution, ActionDll is loaded and 
control is
passed to its only export, StartAction.
The “basic” in-memory remote backdoor is pushed to computers inside the domain
by the Domain Controller on a regular basis – almost like a worm infection. 
This gives
the attackers an entry into most of the machines from the domain and if further 
access
is needed, they can upload a more sophisticated MSI file that deploys tens of 
different
plugins to harvest information.
For any inquiries, please contact intelrepo...@kaspersky.com

7

The Duqu 2.0
Technical Details

A thorough description of the malware loading mechanism from the “basic” remove
backdoor MSI can be found below.

Analysis of a Duqu 2.0 MSI package
Filename: random / varies from case to case
MD5 (example, can vary): 14712103ddf9f6e77fa5c9a3288bd5ee
Size: 503,296 bytes

File properties
The MSI file has the following general properties:
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       

Composite Document File V2 Document
Little Endian
OS: Windows, Version 6.1
Code page: 1252
Title: {7080A304-67F9-4363-BBEB-4CD7DB43E19D} (randomly generated GUIDs)
Subject: {7080A304-67F9-4363-BBEB-4CD7DB43E19D}
Author: {7080A304-67F9-4363-BBEB-4CD7DB43E19D}
Keywords: {7080A304-67F9-4363-BBEB-4CD7DB43E19D}
Comments: {7080A304-67F9-4363-BBEB-4CD7DB43E19D}
Template: Intel;1033
Last Saved By: {7080A304-67F9-4363-BBEB-4CD7DB43E19D}
Revision Number: {4ADA4205-2E5B-45B8-AAC2-D11CFD1B7266}
Number of Pages: 100
Number of Words: 8
Name of Creating Application: Windows Installer XML (3.0.5419.0)
Security: 4

It should be noted that MSI files used in other attacks can have different 
other properties.
For example, we observed several other fields:
•       
•       

Vendor: Microsoft or InstallShield
Version: 1.0.0.0 or 1.1.2.0 or 2.0.0.0

For any inquiries, please contact intelrepo...@kaspersky.com

8

The Duqu 2.0
Technical Details

Some of these are visible via the Windows Explorer file properties dialog box:

There are two binary blocks inside this MSI package:

For any inquiries, please contact intelrepo...@kaspersky.com

9

The Duqu 2.0
Technical Details

The first binary, called ActionDll, is in fact a Windows PE DLL file, while the 
other one
is a Camellia-encrypted and LZJB-compressed data payload (the encryption and
compression algorithm vary from case to case). In fact, there are several 
layers of
executable code embedded one into another as compressed or encrypted binary 
blocks.
Here’s a look at a Duqu 2.0 MSI package, with all its internal payloads:

We describe these components in more detail below.

For any inquiries, please contact intelrepo...@kaspersky.com

10

The Duqu 2.0
Technical Details

First Layer: ActionDLL (msi.dll)
Original filename: msi.dll
MD5: e8eaec1f021a564b82b824af1dbe6c4d
Size: 17’920 bytes
Link time: 2004.02.12 02:04:50 (GMT)
Type: 64-bit PE32+ executable DLL for MS Windows
This DLL has only one export name called StartAction, which is called in the 
context of
msiexec.exe process. When this function is called, it retrieves an MSI property 
called
PROP and uses it as a decryption key for the bundled ActionData0 package:
Next, the code iterates over 12 possible
payloads that have to be decrypted and
started. The payloads are part of the
MSI and may have the following names:
ActionData0, ActionData1, ActionData2,
etc.
The package described here contains
only one payload named “ActionData0”.

Second Layer: ActionData0
This binary chunk contains the main code, in
compressed and encrypted format. It represents a
composition of executable, position-independent code
blocks mixed with embedded data objects. The code
seems to be based on a framework and heavily uses
helper structures that contain pointers to a set of system
APIs and offsets to internal data blocks. Such structures
are definitely a trademark of the developer. When they
are initialized, one field (usually the first 4 bytes) contains
a magic value that identifies the state and type of the
structure.
Another trademark of the coder is the way to import
system API by module and export name hashes. The
hashing algorithm was found all over this and other
layers of executable code. It’s easily recognizable by two
DWORD constants: 0x8A20C27 and 0x67F84FC6.
Basically, the code in ActionData0 passes execution
to an embedded executable, which we will refer by its
internal name: “klif.dll”. The execution is passed to the
second exported function in table of exports of this DLL
file. This disregards the export name and relies only on
the order of functions in the table of PE export ordinals.
When this export function is called, a next stage helper structure pointer is 
passed to it,
so that it can use some of the values set on the upper layer.
For any inquiries, please contact intelrepo...@kaspersky.com

11

The Duqu 2.0
Technical Details

However, before passing execution to klif.dll, the code attempts alternative 
routes.
First, it attempts to find the name of the following format 
“api-ms-win-shell-XXXX.
dll”, where “X” can be any decimal number. The name is valid if there is no 
module with
such filename loaded into current process. The code attempts to iteratively 
find such
name starting from api-ms-win-shell-0000.dll, api-ms-win-shell-0001.dll, 
api-ms-winshell-0002.dll and so on. This may be a dependency to the Duqu 
platform component
that is yet to be discovered.
Right after this, if the name was found, the code attempts to map a section 
kernel object
by name, which is generated using a PRNG-based algorithm. The name of the 
section
has the following template: 
“\BaseNamedObjects\{XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX}”, where “X” is any 
hexadecimal digit that is generated based on current
system boot time. So far, the name of the section is “machine/boot time” 
dependent,
which makes it unique but allows other processes of modules to locate such 
section if
they use the same name generation algorithm. This section is accessed in 
different other
parts of the code and modules. Lets refer to this section as OSBoot-section 
from now.
Once the section name is generated the code tries to open such section and, if 
it is
found, it takes some values from it and attempts to open a specific device and 
issue a
number of IOCTL codes to the driver. The name of the driver device as well as 
IOCTL
codes are located inside a section of the kernel mode driver KMART.dll that is 
described
below.
The code developer has a preference for using sections to any other ways to 
access
data. Another use of sections appears to be in mapping the part of code/data 
where
klif.dll is embedded and then finding that section using a hardcoded magic QWORD
number: 0xA1B5F8FC0C2E1064. Once the section is found in address space of 
current
process the code attempts to pass execution to it. This alternative execution 
route is
not applicable to current MSI file package but simply exists in the code 
probably due
to common code template used for building current MSI package. It may also be an
indicator of another Duqu platform component that wasn’t used in the attacks 
that we
observed.

Third Layer: klif.dll
Original filename: klif.dll
MD5: 3fde1bbf3330e0bd0952077a390cef72
Size: 196’096 bytes
Link time: 2014.07.06 08:36:50 (GMT)
Type: 64-bit PE32+ executable DLL for MS Windows
Apparently, this file attempts to mimic some of legitimate names of Kaspersky 
Lab
product components: “klif.sys”. Although there is neither similarity in code 
nor in file
information, the module uses Kaspersky Lab acronym in it’s export names: KLInit 
and
KLDone.

For any inquiries, please contact intelrepo...@kaspersky.com

12

The Duqu 2.0
Technical Details

When this DLL is loaded into a new process, it simply initializes internal 
structures, such
as those providing pointers to the required system API.
The real payload of this module is located in the KLDone export function, which 
is
second in the list of the export table. This export function is called from the 
previous
code layer.
First, it makes sure that global application structure is initialized with 
essential functions
from ntdll.dll, kernel32.dll and user32.dll. System API functions are imported 
using hashes
of export names. The hashing algorithm is identical to the one described one 
layer above
and uses the same magic constants: 0x8A20C27 and 0x67F84FC6.
Next the code iterates through the list of running processes and hashes 
lowercase name
of each process. The hash is compared to a hardcoded value of 0x3E3021CB, which 
is a
hash for the “avp.exe” string.

Attacking AVP.EXE
If the “avp.exe” process is running, the module attempts to open the 
OSBoot-section as
described before and tries to attack the avp.exe process. The attack starts from
identifying the exact path to the installed Kaspersky Lab product by iterating 
through an
array of hardcoded registry keys and values for the following products:
KES12

AVP15

AVP10

KES11

AVP14.0.0

KES9

KES10

AVP14

KES8

AVP16.0.0

AVP13

AVP80

AVP16

AVP12

AVP90

AVP15.0.0

AVP11

AVP9

AVP8
AVP7
AVP6

The registry values queried by the module contain a filesystem path to the root 
directory
where the corresponding product is installed. For example: “C:\Program 
Files\Kaspersky
Lab\Kaspersky Internet Security 15.0.0\”
Once the registry key and value is found, the module confirms that avp.exe file 
is located
in that directory. It does some basic file availability checks as well: makes 
sure that
environment variables are resolved and the file can be opened for reading and 
it begins
with 0x5A4D (magic “MZ” value of Windows executables).
After that, the module creates a new section and maps avp.exe as a file view to 
this
section. To allow code execution, the attributes of this memory region are also 
changed
accordingly. This allows the module to change bytes from the mapped avp.exe in
memory. The module applies two patches to the mapped avp.exe in a quite unusual 
way
using SSE2 CPU extensions. In fact, it patches just the old DOS PE header (less 
than 120
bytes). The patches are simple callback mechanisms that call arbitrary function 
passed as
an argument.
Right after this, the module attempts to start a new thread that begins with 
one of the
patched locations. So far, it looks like the new thread begins with a call 
originating from
avp.exe module that does some other calls, i.e. jumping back to klif.dll. 
Apparently, this
For any inquiries, please contact intelrepo...@kaspersky.com

13

The Duqu 2.0
Technical Details

attack was introduced to trick the avp.exe process into believing that further 
calls will
be safe and trusted as the root of the call stack is coming from the legitimate 
avp.exe
module. This is what we see further down in the code: the new thread instantly 
jumps
from avp.exe back to klif.dll and tries to communicate with the Kaspersky Lab 
product
minifilter driver, known as klif.sys.
In fact, just before communicating with klif.sys, it opens OSBoot-section and 
gets an
IOCTL code as well as the driver device name to send this IOCTL code to. The 
section
and corresponding driver (KMART.dll) provide certain support to the current 
module. The
code hashes current process name and verifies if it falls down into one of 
three hashes:
0x3E3021CB (avp.exe), 0xDE6D4DA0 (msiexec.exe), 0xB915B2D8 (rundll32.exe).
If current process name hash is recognized, the module communicates with 
klif.sys
by opening \KlifComm minifilter communication port and sending series of driver
communication messages. According to analysis of the messages, this technique
makes process or thread operations “invisible” to the klif interceptor. Such 
registered
entity is considered to be trusted and its activity is removed from 
AV-scanning, process
monitoring, firewall and other defense engines that are subscribed to 
intercepted events.
In addition, the module requests support of the self-defense feature of 
Kaspersky Lab
product, which is normally used to protect the software from aggressive malware 
which
kills the security software processes using a number of techniques available 
from the
OS. This of course guarantees that even a user with administrative privileges 
cannot stop
such process.
Considering that this seemed to be an attack against Kaspersky Lab products, we 
did
some additional tests of the products and found that current products verify 
the caller
process by checking its custom digital signature. So far, without additional 
driver support,
this technique should fail. Verification of the digital signature of the 
process that opened
\KlifComm minifilter communication port was implemented in all Kaspersky Lab
products since 2010. So far, this could affect only
older products such as KIS2010, which was
released by Kaspersky Lab in 2009 ►
It doesn’t look realistic now that the attackers
started implementing tricks against Kaspersky
Lab products in 2009 or earlier. So we looked for
another rational explanation and seem to have
found it.
Such an attack doesn’t normally work against
our products because they verify that the caller
process is legitimate by checking its custom digital
signature. To bypass this, the Duqu 2.0 component
named “KMART.dll” patches “klif.sys” in memory to
bypass this check. The attack works because the
attacker’s “KMART.dll” is already running in kernel
mode due to a vulnerability in the Windows kernel.
After sending the codes, the module proceeds to the next stage, which is process
migration, described further below.

For any inquiries, please contact intelrepo...@kaspersky.com

14

The Duqu 2.0
Technical Details

CTwoPENC.dll zero-day and KMART.dll
The third layer klif.dll performs a multitude of functions in order to ensure 
the survival of
the malware in memory and bypass antivirus detections.
One important step is to get kernel level access. On 64-bit systems, one cannot 
simply
load and run kernel mode code without a signed driver. While other attackers 
such
as Equation or Turla chose to piggyback on third-party signed drivers, the Duqu 
2.0
platform relies on a much more cunning trick.
One of the payloads bundled together with “klif.dll” is called “CTwoPENC.dll”. 
This is
aWindows kernel mode exploit (CVE-2015-2360) that allows them to run code with 
the
highest privileges in the system We recovered several versions of 
“CTwoPENC.dll”, both
for 32-bit and 64-bit versions of Windows, with the following compilation 
timestamps:
•       
•       
•       

2014.08.25 01:20:04 (GMT)
2014.08.25 01:19:03 (GMT)
2014.07.06 09:17:03 (GMT)

Unlike other Duqu 2.0 modules, these timestamps appear to be legitimate. The 
reason
for this remains unknown – perhaps the Duqu platform developers got this module 
from
somebody else and forgot to patch its compilation timestamp.
“CTwoPENC.DLL” exploits a zero-day vulnerability in “win32k.sys” to gain kernel 
privileges
while being run as an unprivileged user. It creates several windows with 
classes named
“CPer”, “Zero”, “CTwo”, “Vero” in several threads and manipulates the callback 
pointers.

Part of the exploit code that registers window classes and creates new windows.

The main purpose of the exploit is to load a driver named “KMART.dll”. If the 
exploit
succeeds, it decompresses “KMART.dll” from the module’s body and passes control

For any inquiries, please contact intelrepo...@kaspersky.com

15

The Duqu 2.0
Technical Details

to it while running in kernel mode. Both 32-bit and 64-bit versions of the 
“KMART.
DLL” exist. This driver implements a kernel-mode attack against the Kaspersky 
Lab
products filter “klif.sys”. It patches the import table addresses of system API 
functions
PsGetCurrentProcessId, PsLookupProcessByProcessId and KlGetStringRef export of
Kaspersky Lab’s anti-virus driver klflt.sys. The intercepted functions are 
preceded by
malicious code that impersonates the other malicious modules as coming from the
process/file “avp.exe” (using the actual location of the anti-virus component), 
thus
evading monitoring by the anti-virus software.
During testing, the zero-day exploit worked on all contemporary Windows 
versions (XP,
Vista, 7, 8, 8.1 both 32-bit and 64-bit). This vulnerability has been patched 
by Microsoft
on June 9, 2015.”

Payload Containers and Migration
The module supports a number for different payloads provided in the form of 
containers
following klif.dll in memory (located in PE overlay).
A payload container contains a short header describing target CPU architecture, 
payload
type and target process name or hash. When the module uses some embedded code or
file there is normally at least two variants of code bundled inside: 32 and 
64-bit.
Each payload run type is identified by a single character. Current module 
supports
the following 5 payload run types: g, i, k, l, q. Seems like the developer used 
ordered
alphabet characters, which means that there could be other payload run types 
which
were removed from the code at some time. Currently the container located in the
overlay of subject executable contains a “l” character as a payload run type, 
so lets
describe it first.

Payload type “L”
First, the code looks for privileges from other processes. The process handle 
can be
hardcoded or obtained by looking for currently running processes, hashing their 
names
and comparing them to one of known hashes. The module includes the following
hardcoded process hashes:
0x31283314 (services.exe), 0x1026D1BA (lsass.exe), 0x3BD2498C (svchost.exe).
If any of the recognized processes are found, the module opens process token and
verifies that the following privileges are available:
•       
•       
•       
•       
•       
•       

SeDebugPrivilege
SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
SeImpersonatePrivilege
SeRestorePrivilege

If they are available the module duplicates process token and saves it into an 
internal
structure for future use.
For any inquiries, please contact intelrepo...@kaspersky.com

16

The Duqu 2.0
Technical Details

The module looks for one of the available security suites installed in current 
system and
some generic processes if nothing was found. It attempts to find executable 
files of the
following software:
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       

More than 20 different Kaspersky Lab products
McAfee VSCore, SystemCore, HIP
Symantec Internet Security
Bitdefender
ESET
H+BEDV
TrendMicro Network Security Component
Rising AV
Avast
AVG 2012/2013/2014/2015
F-Secure
Qihoo 360 Security
Generic Windows Processes:
oo %ProgramFiles(x86)%\Windows Defender\MsMpEng.exe
oo %SystemRoot%\syswow64\svchost.exe
oo %SystemRoot%\system32\lsass.exe
oo %SystemRoot%\system32\svchost.exe

When such an executable is found and eventually it should (at least svchost or 
lsass.
exe should be present), it runs a new process from discovered location and 
replaces
its executable code with own embedded into current executable in encrypted and
compressed form.
If the code manages to find a security token from one of the processes with 
required
security privileges, it will try to use this token when creating a new process 
using
CreateProcessAsUser API. Otherwise it simply spawns new process instance.
The new process is started in suspended and debugged state. Just before 
starting the
new process it disables DEP for the child processes to simplify code injection 
and data
manipulation. So far, from the outside, it may look like a security software 
was started,
while from the inside its code is completely different from legitimate module.

Payload run type “G”
This payload is almost identical to payload L described above, but the loader 
is simpler
- it skips hijacking of privileged token. Code injection target is selected 
automatically
depending on the availability of known processes.

Payload run type “I”
This payload is similar to payload G, but makes the loader parse payload header 
a bit
differently: instead of process name string it takes only 4 bytes, which are 
supposedly
used as a process hash. This seems to be a way to hide target process name and
use only hash, however this hasn’t been implemented completely in the module we
analyzed.
For any inquiries, please contact intelrepo...@kaspersky.com

17

The Duqu 2.0
Technical Details

Payload run type “K”
This payload is designed to run within the context of the current process. The 
code
simply copies the code to be executed into separate memory and runs it in a 
dedicated
thread. It blocks until thread finishes its execution.

Payload run type “Q”
This payload is identical to payload K described above but it doesn’t block 
execution
when a new thread is started. So far, the new code runs asynchronously.
After the payload container is opened and code migrated to another process, 
which can
be elevated and protected from security software, the real malicious code is 
activated.
In most cases, it is simple named pipe based backdoor that listens for incoming
communications from the orchestrator. In rare cases, on selected machines, it 
can be
heavy orchestrator module that communicates with command and control server, 
works
as a bidirectional proxy and comes with a large bundle of secondary plugins.

Platform plugginable modules
In addition to the basic remote backdoor, the attackers deploy more 
sophisticated
packages to domain controllers and to the victims of interest inside the LAN. 
These MSI
packages can contain tens of different modules designed for various 
cyberespionage
functions.
The fully featured packages are much larger than the basic remote backdoor – 
18MB
vs 500KB. They follow the same structure, with ActionDll and the loader 
mechanism,
except they contain a lot more plugins to load and run.
During our analysis, we identified more than 100 variants of such plugins.
A description of these plugins follows. To separate them, we used a virtual 
identifier
based on the first two bytes of their MD5 sum.
03B7 – The main module of Duqu 2.0, orchestrator.
Implements multiple protocol handlers for C&C communication, can start an
intermediate C&C proxy server with a self-signed HTTPS certificate. Starts the 
plugin
framework, loads and manages all additional plugins.
It works via HTTP, HTTPS, SMB network pipes or direct TCP connection using a 
custom,
encrypted protocol. Interaction via HTTP is concealed in JPEG or GIF files, 
similar to the
2011 version of Duqu. Request names, URLs and User-Agent strings may vary 
between
attacks.
Additional known variants: 3026, 4F11.
0682 – Collects basic system information:
•       
•       

List of running processes
Active desktop and terminal sessions

For any inquiries, please contact intelrepo...@kaspersky.com

18

The Duqu 2.0
Technical Details

Collected information is then transmitted to a named pipe provided by the 
caller.
Additional known variants: C0B7
073C – Implements a complete Windows socket-based transport, both client and
server side. Provides a class factory for the class that encapsulates various 
networking
functions.
0872 – MSI CustomAction library that is activated when the malicious installer 
package
is started by the Windows Installer. Loads the encrypted binary blob that 
contains actual
malicious payload, decrypts and then executes it in memory.
The names in version information vary: svcmsi_32.dll, msi3_32.dll, MSI.dll, 
msi4_32.dll.
Encryption algorithms also vary: Camellia 256, AES, XXTEA.
The decryption key is extracted from an MSI parameter, possible names: PROP,
HASHVA, CKEY.
The encrypted blob is searched by prefixes (can vary): ActionData, CryptHashs, 
CAData.
Both 32-bit and 64-bit versions are known. Additional known variants: 8D7C, 
16EF, E6E5,
434C, 44BD, F708.
09A0 – 64-bit, Exfiltrates file contents, particularly searching for files 
matching these
rules:
•       
•       
•       

*.inuse, *.hml
filename contains “data.hmi” or “val.dat”
files from the /Int/HMI/ or /LG/HM/ folders.

File and directory names of interest for the 09A0 plugin.

Additional known variants: 8858
0AB8 – Provides 25 functions for manipulating files and directories:
•       
•       
•       

List files in directories
Upload and download arbitrary files
Read/write file contents

For any inquiries, please contact intelrepo...@kaspersky.com

19

The Duqu 2.0
Technical Details

In several cases, the modules are looking specifically for directories named 
“\int”, “\lg”, “\
of\md”, “\tl”, “\ak” and files with extensions “.part”, “.manual”, “.inuse”.

File and directory names of interest for the 0AB8 plugin.

Additional known variants: A69E.
0B97 – Network transport. Implements API for connecting sockets and pipes 
provided
by the caller. Additional variant: 56A2.
152B – Network and domain discovery.
•       
•       
•       

Enumerates all servers in the domain
Tries to connect to remote registries and enumerate all users in “HKEY_USERS”.
Usernames are then converted to SIDs
Enumerates all visible network shares

Additional known variants: A987
1C71 – In-memory storage. Receives and stores string data in file mappings.
2125 – Network infection module. Tries to acquire administrative credentials 
from the
running processes and then connect to a target machine using Windows shares. The
machine is infected with a malicious DLL backdoor, the target directory varies 
and may
be in UPDROOT$, ADMIN$ or C$. Uses custom SMB packets to identify the target OS
version. The target malicious DLL is then started using a new service created 
with a name
“svcmsi_32@”. The module communicates with the target backdoor via Windows 
pipes.
Additional variant: DB65. Instead of the malicious DLL, it uploads a new MSI 
package and
then relies on MSIEXEC.EXE to start the MSI via a newly created service named
“msisvc_32@”, the target MSI name is generated randomly using a template “tmp%x.
tmp”.

Example of a Windows event log (System) entry created
at the moment of infection.

Administrative credentials are acquired by stealing a token from any running 
process that
was started by a logged on user having domain administrator’s rights. For that, 
it first
For any inquiries, please contact intelrepo...@kaspersky.com

20

The Duqu 2.0
Technical Details

queries for the first 100 administrative usernames in the current domain 
directly from the
domain controller.

Remote locations used by the network infection module.

24B7 – Remote desktop administration. Acquires the screenshots of the desktop 
but
also can send input to the desktop, move the mouse cursor. Both 32-bit and 
64-bit
variants exist. Additional known variants: 65BE, 7795, BDC8, DEE2
26D6 – Detects running network sniffers (wireshark, tcpview, netstat, dumpcap,
perfmon); implements a TCP server and communicates via network pipes. Internal
name: “P.dll”.
2829 – Collects system information
•       
•       
•       
•       

Monitors USB device attachment
Collects USB drive history
Enumerates network shares, windows captions, system routing tables
Reads/writes encrypted files

2913 - WMI data collection
•       
•       
•       
•       

Enumerate profiles with SIDs
For each profile, extracts information from lnk files in the profile directory
Enumerate processes via WMI (CIMV2), including terminated processes
Extracts user information from available remote registries

Additional known variant: C776
29D4 - Service msisvc_32@; DLL backdoor that is used for network infection by
module 2125. Accepts commands via named pipe 
“Global\{B54E3268-DE1E-4c1e-A6672596751403AD}”. Both 32-bit and 64-bit variants 
exists.
For any inquiries, please contact intelrepo...@kaspersky.com

21

The Duqu 2.0
Technical Details

Additional known variants: 6F92, A505, D242
2B46 – Extensive collection of system and user information
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       
•       

Domain controller’s name
List of users in the domain
Administrators of the domain
Enumerates domain trusts
TCP tables
UDP tables
SNMP discovery (OS, parse all replies)
USB drive history, mounted devices
Installed programs
Time zone
OS install date
ODBC.ini, SQL Server instance info, Oracle ALL_HOMES, SyBase, DB2, MS SQL,
MySQL last connections
DHCP/routing
Network profiles
Zero Config parameters
Connected printers
MRU list for WinRAR, WinZip, Office, IE typed URLs, mapped network drives, 
Visual
Studio MRU
Terminal Service Client default username hint
User Assist history
PuTTY host keys and sessions
Logged on users
Network adapter configuration
VNC clients passwords
Scan the network and identify OS using SMB packet

Some of the registry locations harvested by the module.

For any inquiries, please contact intelrepo...@kaspersky.com

22

The Duqu 2.0
Technical Details

Additional known variants: A7F8
2BF7 - Utility DLL. Provides basic API for creating new MSI packages, loading 
and
injecting arbitrary PE modules. Also responsible for loading the first level of 
the VFS
inside the malicious MSI files. Both 32-bit and 64-bit versions exist.
Known names: “ntdll.dll”, “klif.dll”, “apiset.dll”.
Additional known variants: 6DA1, 32DB, 8304, 9931, 9E60, A2D4, ABA9, B3BB, DC5F,
DD32, F7BB
3395 – MS SQL discovery module. Module can send ARP packets to network and
discover MS SQL Server ports. Additional functions are responsible for 
connecting and
reading of remote registry contents.
35E9 – File system discovery.
•       
•       
•       

Enumerate network shares
Enumerate local disks
Traverse files system hierarchy and enumerate files; identify reparse points

3F45 – Pipe backdoor. Opens a new globally visible named Windows pipe, receives 
and
executes encrypted commands. The “magic” string that identifies the encrypted 
protocol
is “tttttttt”.
•       
•       

Enumerates running processes
Loads and executes arbitrary PE files

Both 32-bit and 64-bit versions exist.
Known pipe names:
•       
•       
•       

\\.\pipe\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E} 
\\.\pipe\{AB6172ED-81054996-9D2A-597B5F827501}
\\.\pipe\{0710880F-3A55-4A2D-AA67-1123384FD859} 
\\.\pipe\{6C51A4DB-E3DE4FEB-86A4-32F7F8E73B99}
\\.\pipe\{7F9BCFC0-B36B-45EC-B377-D88597BE5D78}, 
\\.\pipe\{57D2DE92-CE174A57-BFD7-CD3C6E965C6A}

Additional known variants: 6364, 3F8B, 5926, A90A, DDF0, A717, A36F, 8816, 
E85E, E927

For any inquiries, please contact intelrepo...@kaspersky.com

23

The Duqu 2.0
Technical Details

4160 - Password stealer
•       
•       

Extracts Google Chrome and Firefox login data
LSA credentials

Data used to locate Chrome saved logins.

Additional known variants: B656
41E2 – Password stealer. 64-bit module. Extracts:
•       
•       
•       
•       
•       
•       

IE IntelliForms history
POP3/HTTP/IMAP passwords
TightVNC, RealVNC, WinVNC3/4 passwords
Outlook settings
SAM, LSASS cache
Windows Live, .Net Passport passwords

References to information collected by the module.

Additional known variants: 992E, AF68, D49F
482F – Collects system information.
•       
•       
•       

Enumerates disk drives
Gets list of running processes
Extensive process information including uptime

For any inquiries, please contact intelrepo...@kaspersky.com

24

The Duqu 2.0
Technical Details

•       
•       

Memory information
SID information

Additional known variants: F3F4
559B – Active Directory survey.
•       
•       
•       

Connects to the Active Directory Global Catalog (“GC:”) using ADSI
Enumerates all objects in AD
Presents every entry in a human-readable format

Active Directory enumeration routine.

580C - Collects system and network information.
•       
•       
•       
•       
•       
•       
•       

Retrieves the domain controller name
Enumerates all users and groups in the domain
Collects Task Scheduler logs
Collects disk information, removable device history
Retrieves firewall policies
Enumerates all named system objects
Enumerates all system services

For any inquiries, please contact intelrepo...@kaspersky.com

25

The Duqu 2.0
Technical Details

5B78 - Collects system information and utilities. One of the two exported 
functions has
a name “GetReport”.
•       
•       
•       
•       

Enumerate running processes, extract tokens and SIDs, collect timing information
Logon users using explicit credentials
Impersonate users of running processes
Build new 32-bit and 64-bit shellcode stubs using a hardcoded template

Both 32-bit and 64-bit versions exist.
Additional known variants: E8C7, EE6E.
5C66 – Encrypted file I/O, utilities
•       
•       

File I/O operations: open/seek/read/write
Manages compressed and encrypted temporary files

For any inquiries, please contact intelrepo...@kaspersky.com

26

The Duqu 2.0
Technical Details

622B - Generate XML report about system using unique schema
•       
•       
•       
•       
•       
•       
•       

Computer name
Windows directory
Enumerates all logical drives
Lists all files
OS serial number
Domain name
Network adapter configuration: IP addresses, MAC, MTU, adapter list

XML tags used to generate the system report.

6302 - Utilities. Has internal name “d3dx9_27.dll”. Executes timer-based events.
Additional known variants: FA84
669D – Utilities. Given a list of file names and directories, checks if they 
exist.
Additional known variants: 880B
For any inquiries, please contact intelrepo...@kaspersky.com

27

The Duqu 2.0
Technical Details

6914 - Sniffer-based network attacks. Uses a legitimate WinPcap driver 
“npf.sys”. Detects
NBNS (NetBIOS protocol) requests of interest and sends its own responses:
•       
•       

Responds to WPAD requests (“FHFAEBE” in NBNS packets)
Sends responses to HTTP GET requests

The network filter is based on the BPF library. The payloads for the HTTP and 
WPAD
responses are provided externally.

Fake HTTP response and related status messages.

6FAC - File API
•       
•       
•       

Get file size, attributes
Securely delete a file
Open/close/read/write file contents

Additional known variants: A7EE
7BDA – Collects system information
•       
•       
•       
•       
•       
•       
•       
•       

Current state of AV and firewall protection using wscapi.dll API
Detect if “sqlservr.exe” is running
Computer name
Workgroup info
Domain controller name
Network adapter configuration
Time and time zone information
CPU frequency

Additional known variants: EF2E
For any inquiries, please contact intelrepo...@kaspersky.com

28

The Duqu 2.0
Technical Details

7C23 – Extracts metadata from documents and collects system information
•       
•       
•       

Computer name
System volume serial
Complete file API as in 6FAC

Searches for documents and archives and implements routines to extract all 
valuable
information from them:
•       
•       
•       
•       
•       
•       

E-mail messages: eml, msg
Image files: jpg, jpe, jpeg, tif, tiff, bmp, png
Multimedia files: wmv, avi, mpeg, mpg, m4a, mp4, mkv, wav, aac, ac3, dv, flac,
flv, h264, mov, 3gp, 3g2, mj2, mp3, mpegts, ogg, asf. These are re-encoded with
libffmpeg.
Contents from PDF documents
Microsoft Office: doc, docx, xlsx, pptx. Dedicated routines are called 
accordingly:
“OfficeRipDoc”, “OfficeRipDocx”, “OfficeRipXlsx”, “OfficeRipPptx”. PPT slides 
are
extracted and converted to a HTML digest of the presentation.
Archives: gz, gzip, gzX3, zip, rar

Creates temporary files with extension “.fg4”.
Additional known variants: EB18, C091

Part of the list of file extensions of interest and corresponding status 
messages.
For any inquiries, please contact intelrepo...@kaspersky.com

29

The Duqu 2.0
Technical Details

8172 - Sniffer-based network attacks. Performs NBNS (NetBIOS protocol) name
resolution spoofing for:
•       
•       
•       

WPAD requests
Names starting with “SHR”
Names starting with “3142” (log only)

Status messages related to the attack.

Additional feature: the module can build new shellcode blobs from hardcoded 
templates.
81B7 – Driver management
•       
•       
•       

Write driver to disk
Start/stop driver
Safely remove the driver’s file from disk

Additional known variants: C1B9

For any inquiries, please contact intelrepo...@kaspersky.com

30

The Duqu 2.0
Technical Details

8446 - Oracle DB and ADOdb client.
•       
•       
•       

Uses “oci.dll” API to access Oracle databases
Extracts all available information from the database
Also connects to ADOdb providers

SQL queries and related data.

8912 – Encrypted file manipulation and collects system information
•       
•       
•       
•       
•       
•       

Shared file mapping communication
Write encrypted data to files
Enumerate windows
Enumerate network shares and local disks
Retrieve USB device history
Collect network routing table

Known mutex and mapping names:
•       
•       
•       

Global\{DD0FF599-FA1B-4DED-AC70-C0451F4B98F0} 
Global\{B12F87CA-1EBA4365-B90C-E2A1D8911CA9},
Global\{B03A79AD-BA3A-4BF1-9A59-A9A1C57A3034} 
Global\{6D2104E6-73104A65-9EDD-F06E91747790},
Global\{DD0FF599-FA1B-4DED-AC70-C0451F4B98F0} 
Global\{B12F87CA-1EBA4365-B90C-E2A1D8911CA9}

For any inquiries, please contact intelrepo...@kaspersky.com

31

The Duqu 2.0
Technical Details

Additional known variants: D19F, D2EE
9224 – Run console applications. Creates processes using desktop “Default”, 
attaches to
its console and redirects its I/O to named pipes.
92DB - Modified cmd.exe shell.

Several CMD commands processed by the shell.

9F0D (64-bit), D1A3(32-bit) – legitimate signed driver NPF.SYS (WinPcap) 
distributed
inside the VFS along with the plugins. It is used for sniffer-based network 
attacks.
A4B0 – Network survey
•       
•       
•       
•       
•       
•       

Uses DHCP Server Management API (DHCPSAPI.DLL) to enumerate all DHCP server’s
clients
Queries all known DHCP sub-networks
Searches for machines that have ports UDP 1434 or 137 open
Enumerates all network servers
Enumerates network shares
Tries to connect to remote registries to enumerate all users in HKEY_USERS, 
converts
them to SIDs

B6C1 - WNet API. Provides wrappers for the WnetAddConnection2 and WNetOpenEnum
functions.
Additional known variants: BC4A

For any inquiries, please contact intelrepo...@kaspersky.com

32

The Duqu 2.0
Technical Details

C25B – Sniffer based network attacks. Implements a fake SMB server to trick 
other
machines to authenticate with NTLM.
•       

Implements basic SMB v1 commands

SMB commands handled by the module

•       
•       
•       

Pretends to have IPC$ and A: shares
Accepts user authentication requests
Also handles HTTP “GET /” requests

NTLM challenge and SMB server data

For any inquiries, please contact intelrepo...@kaspersky.com

33

The Duqu 2.0
Technical Details

ED92 – File system survey
•       
•       

Enumerates all local drives and connected network shares
Lists files

EF97 – Filesystem utilities
•       
•       
•       
•       
•       

Enumerate files
Create and remove directories
Copy/move/delete files and directories
Extract version information from files
Calculate file hashes

Additional known variants: F71E

Persistence mechanism
The Duqu 2.0 malware platform was designed in a way that survives almost 
exclusively
in memory of the infected systems, without need for persistence. To achieve 
this, the
attackers infect servers with high uptime and then re-infect any machines in 
the domain
that get disinfected by reboots. Surviving exclusively in memory while running 
kernel
level code through exploits is a testimony to the technical prowess of the 
group. In
essence, the attackers were confident enough they can survive within an entire 
network
of compromised computers without relying on any persistence mechanism at all.
The reason why there is no persistence with Duqu 2.0 is probably because the 
attackers
wanted to stay under the radar as much as possible. Most modern anti-APT 
technologies
can pinpoint anomalies on the disk, such as rare drivers, unsigned programs or
maliciously-acting programs. Additionally, a system where the malware survives 
reboot
can be imaged and then analyzed thoroughly at a later time. With Duqu 2.0, 
forensic
analysis of infected systems is extremely difficult – one needs to grab memory 
snapshots
of infected machines and then identify the infection in memory.
However, this mechanism has one weakness; in case of a massive power failure, 
all
computers will reboot and the malware will be eradicated. To get around this 
problem,
the attackers have another solution – they deploy drivers to a small number of
computers, with direct Internet connectivity. These drivers can tunnel traffic 
from the
outside into the network, allowing the attackers to access remote desktop 
sessions or
to connect to servers inside the domain by using previously acquired 
credentials. Using
these credentials, they can re-deploy the entire platform following a massive 
power loss.

Command and control mechanisms
Duqu 2.0 uses a sophisticated and highly flexible command-and-control mechanism 
that
builds on top of the 2011 variant, with new features that appear to have been 
inspired
by other top class malware such as Regin. This includes the usage of network 
pipes and
mailslots, raw filtering of network traffic and masking C&C traffic inside 
image files.
For any inquiries, please contact intelrepo...@kaspersky.com

34

The Duqu 2.0
Technical Details

Inside a Windows LAN, newly infected clients may not have a C&C hardcoded in 
their
installation MSI packages. Without a C&C, they are in “dormant” state and can be
activated by the attackers over SMB network pipes with a special TCP/IP packet 
that
contains the magic string “tttttttttttttttt”. If a C&C is included in the 
configuration part of
the MSI file, this can be either a local IP address, which serves as a bouncing 
point or an
external IP address. As a general strategy for infection, the attackers 
identify servers with
high uptime and set them as intermediary C&C points. Hence, an infected machine 
can
jump between several internal servers in the LAN before reaching out to the 
Internet.
To connect the the C&C servers, both 2011 and 2014/2015 versions of Duqu can 
hide the
traffic as encrypted data appended to a harmless image file. The 2011 version 
used a
JPEG file for this; the new version can use either a GIF file or a JPEG file. 
Here’s how
these image files look like:

Another modification to the 2014/2015 variants is the addition of multiple user 
agent
strings for the HTTP communication. The 2011 used the following user agent 
string:
•       

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824
Firefox/3.6.9 (.NET CLR 3.5.30729)

The new variants will randomly select an user agent string from a table of 53 
different
possible ones.

For any inquiries, please contact intelrepo...@kaspersky.com

35

The Duqu 2.0
Technical Details

Another unusual C&C mechanism relies on driver files that are used to tunnel 
the C&C
communications and attacker’s RDP/SMB activity into the network. The attackers 
deploy
such translation drivers on servers with direct Internet connectivity. Through 
a knocking
mechanism, the attackers can activate the translation mechanism for their IPs 
and tunnel
their traffic directly into the LAN. Outside the LAN, the traffic can be masked 
over port
443; inside the LAN, it can be either direct SMB/RDP or it can be further 
translated over
fake TCP/IP packets to IP 8.8.8.8.
During our investigation, we observed several such drivers. A description can 
be found
below.

The “portserv.sys” driver analysis
MD5: 2751e4b50a08eb11a84d03f8eb580a4e

Size: 14336
Compiled: Sat Feb 11 21:55:30 2006 (fake timestamp)
Internal name: termport.sys
Type: Win32 device driver (a 64 bit version is known as well)
For any inquiries, please contact intelrepo...@kaspersky.com

36

The Duqu 2.0
Technical Details

This is a malicious NDIS filter driver designed to perform manipulation of 
TCP/IP packets
to allow the attacker to access internal servers in the victim’s infrastructure.
Upon startup, the filter driver hooks into the NDIS stack and starts processing 
TCP/IP
packets.
To leverage the driver, the attacker first sends a special TCP/IP packet with 
the string
“romanian.antihacker” to any of the hardcoded IPs belonging to infected server. 
In
general, such servers are computers with direct Internet connectivity, such as a
webserver or a proxy. The driver sees the packet, recognizes the magic string 
“romanian.
antihacker” and saves the attacker’s IP for later use.

Magic string used for knocking inside the driver.

When a packet comes from the attacker’s IP (saved before), the following logic 
applies:
•       
•       
•       
•       

Packet to server 1’s IP on port 443, is redirected on port 445 (Samba/Windows 
file
system)
Packet from server 1’s IP from port 445, is redirected to attacker’s IP port 443
Packet to server 2’s IP on port 443 is redirected on port 3389 (Remote Desktop)
Packet from server 2’s IP from port 3389 is redirected to attacker’s IP port 443

This effectively allows the attackers to tunnel SMB (remote file system access) 
and
Remote Desktop into these two servers while making it look like SSL traffic 
(port 443).
These drivers allow the Duqu attackers to easily access servers inside the LAN 
from
remote, including tunneling RDP sessions over Port 443 (normally SSL). It also 
gives them
a persistence mechanism that allows them to return even if all the infected 
machines
with the malware in memory are rebooted. The attackers can simply use existing
credentials to log back into any of the servers that the driver is serving and 
can reinitialize the backdoors from there.

For any inquiries, please contact intelrepo...@kaspersky.com

The Duqu 2.0
Technical Details

37

Similarities between
Duqu and Duqu 2.0
The 2014/2015 Duqu 2.0 is a greatly enhanced version of the 2011 Duqu malware
discovered by 7CrySyS Lab. It includes many new ideas from modern malware, such 
as
Regin, but also lateral movement strategies and harvesting capabilities which 
surpasses
commonly seen malware from other APT attacks.
Side by side:
2011 Duqu

2014/2015 Duqu 2.0

Number of victims:

<50 (estimated)

<100 (estimated)

Persistence mechanism:

Yes

No

Loader:

SYS driver

MSI file

Zero-days used:

Yes

Yes

Main storage:

PNF (custom) files

MSI files

C&C mechanism:

HTTP/HTTPS, network pipes

HTTP/HTTPS, network pipes

Known plugins:

6

>100

There are many similarities in the code that leads us to conclusion that Duqu 
2.0 was
built on top of the original source code of Duqu. Those interested can read 
below for a
technical description of these similarities.

7       

https://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf
For any inquiries, please contact intelrepo...@kaspersky.com

38

The Duqu 2.0
Technical Details

One of the “trademark” features unique to the original Duqu was the set of 
functions that
provide logging facilities. Unlike many other APTs, Duqu logs almost every 
important step
of its activity but does it in a special way: there are no readable strings 
written to the log.
Instead, a series of unique numbers identify every state, error, or message in 
the log.
Comparing the functions that generate every log entry in Duqu and Duqu 2.0, we 
can
conclude that they are almost identical:

The first generation of Duqu was also written in a very rare and unique manner. 
It was
compiled with Visual Studio and while parts of it were definitely written in 
C++, the
majority of its classes were not natively generated by the C++ compiler. After 
analyzing
all the possible variants, we conclude that these classes were written in OO-C, 
the
objective variant of the C language, and then somehow converted into a 
compilable C/
C++ source. All these classes had a very specific feature: the virtual function 
table of
every instance was filled “by hand” in its constructor. Interestingly, this is 
no longer the
case for Duqu 2.0. The authors upgraded their compiler from Visual Studio 2008 
(used in
2011) to Visual Studio 2013 and now use classes that look much more like native 
C++
ones:

On the left: the “hand-made” or “compiler-assisted” classed of OO-C in Duqu.
On the right: the same class in Duqu 2.0 has a native Vtable similar to native 
C++ one,
however the offset of the pointer is not zero.

For any inquiries, please contact intelrepo...@kaspersky.com

39

The Duqu 2.0
Technical Details

The more concrete evidence of similarity can be found if we look for functions 
that
actually use the logging facilities. The authors kept using the same unique 
numbers for
identification of internal states, errors and function results. Networking 
functions are
good candidates for comparison:

Implementation of the same networking function in Duqu and Duqu 2.0. Note the 
same unique numbers
(in red rectangles) PUSHed as parameters to the logging function.

For any inquiries, please contact intelrepo...@kaspersky.com

40

The Duqu 2.0
Technical Details

Another networking routine: after calling recv() to receive data from network, 
Duqu logs the results and
possible network errors (obtained via WSAGetLastError()). Unique numbers in red 
rectangles are used to
identify the current state of the networking routine.

The code of the orchestrator evolved in many aspects since 2011. One of the 
notable
differences is a huge list of HTTP User-Agent strings that are now used instead 
of a single
hard-coded one:

For any inquiries, please contact intelrepo...@kaspersky.com

41

The Duqu 2.0
Technical Details

The authors also modified the “magic” two-byte value that identifies encrypted 
network
traffic: “SH” was replaced with a more neutral and harder to trace “WW”:

Code that verifies the “magic” value in network traffic.
The chars are swapped due to little-endianness of data in x86/64 architectures.

Both Duqu and Duqu 2.0 use special structures to identify the interfaces of 
their plugins.
The orchestrator also has one for the “core” plugin that is compiled in its 
code. The
newer version has a slightly bigger table, hence more functions, and a 
different notation
for describing the plugin features. Special strings (i.e. “A888A8>@”) describe 
each
function’s signature. The older Duqu had contained similar strings in binary 
(unreadable)
form.

Data structure that describes the “core” plugin of Duqu and two different 
version of Duqu 2.0.
Note the same constants and similar functions.

For any inquiries, please contact intelrepo...@kaspersky.com

42

The Duqu 2.0
Technical Details

The Duqu C&C code makes use of small image files to hide its communications over
unencrypted channels, i.e. HTTP. The original Duqu used a JPEG file, and known 
versions
of Duqu 2.0 use a similar JPEG file as well as a new, larger GIF file. Also, 
the layout of the
data section did not change much: the image data is preceded by short AES 
encryption
keys (string “sh123456” in Duqu, two binary DWORDs in Duqu 2.0) followed by the 
LZO
version string “2.03”.

Image data used for hiding C&C communication in them: JPEG in Duqu, similar 
JPEG in Duqu Bet and
GIF in a different version of Duqu Bet. Note the preceding LZO version string 
“2.03” and encryption keys.

The large number of similarities between the Duqu 2011 code and the new Duqu 2.0
samples indicates that the new code represents a new iteration of the malware 
platform.
The new version could not have been built without access to the 2011 Duqu source
code. Hence, we conclude that the authors are the same or working together.

Victims of Duqu 2.0
Victims of Duqu 2.0 were found in several places, including western countries, 
the
Middle East and Asia. The actor appears to compromise both final and 
utilitarian targets,
which allow them to improve their cyber capabilities.
Most of the final targets appear to be similar to their 2011 goals – which is 
to spy on
Iran’s nuclear program. Some of the new 2014-2015 infections are linked to the 
P5+1
events and venues related to the negotiations with Iran about a nuclear deal. 
The threat
actor behind Duqu appears to have launched attacks at the venues for some of 
these
high level talks. In addition to the P5+1 events, the Duqu 2.0 group has 
launched a similar
attack in relation to the 870th anniversary event of the liberation of 
Auschwitz-Birkenau.

8       

http://70.auschwitz.org/index.php?lang=en

For any inquiries, please contact intelrepo...@kaspersky.com

43

The Duqu 2.0
Technical Details

The other type of targets for the new attacks are what we call “utilitarian” 
targets. These
are companies that the attackers compromise to improve their cyber capabilities.
For instance, in 2011, the attackers compromised a certificate authority in 
Hungary;
obviously, this would allow them to generate digital certificates, which can be 
further
used to sign malware samples. The same pattern can be seen with the Duqu 2.0
infections. Some of the companies infected with Duqu 2.0 operate in the sector 
of
Industrial Control Systems as well as industrial computers.

Attribution
As usual, attribution of cyberattacks over the Internet is a difficult task. In 
the case of
Duqu, the attackers use multiple proxies and jumping points to mask their 
connections.
This makes tracking an extremely complex problem.
Additionally, the attackers have tried to include several false flags 
throughout the code,
designed to send researchers in the wrong direction. For instance, one of the 
drivers
contains the string “ugly.gorilla”, which obviously refers to 9Wang Dong, a 
Chinese
hacker believed to be associated with the APT1/Comment Crew. The usage of the
Camellia cypher in the MSI VFSes, previously seen in APT1-associated Poison Ivy 
samples
is another false flag planted by the attackers to make researchers believe they 
are dealing
with APT1 related malware. The “romanian.antihacker” string used in the 
“portserv.sys”
driver is probably designed to mimic “w00tw00t.at.blackhats.romanian.anti-sec” 
requests
that are often seen in server logs or simply point to an alleged Romanian 
origin of the
attack. The usage of rare compression algorithms can also deceptive. For 
instance, the
LZJB algorithm used in some of the samples is rarely seen in malware samples; 
it has
been used by MiniDuke which we reported in early 2013.
Nevertheless, such false flags are relatively easy to spot, especially when the 
attacker is
extremely careful not to make any other mistakes.
During our 2011 analysis, we noticed that the logs collected from some of the 
proxies
indicated the attackers appear to work less on Fridays and didn’t appear to 
work at all on
Saturdays, with their regular work week starting on Sunday. They also compiled 
binaries
on January 1st, indicating it was probably a normal work day for them. The 
compilation
timestamps in the binaries seemed to suggest a time zone of GMT+2 or GMT+3. 
Finally,
their attacks would normally occur on Wednesdays, which is why we originally 
called
them the “Wednesday Gang”. While the 2014 attack against Kaspersky Lab also took
place on a Wednesday, the gang made huge OPSEC improvements compared to their
older 2011 operations, including faking all the timestamps in PE files, 
removing the debug
paths and internal module names for all plugins.
The 2014 Duqu 2.0 binaries contain several strings in almost perfect English 
but one of
them has a minor mistake indicating the involvement of non-native speakers. The 
usage
of “Excceeded” instead of “Exceeded” in the file-harvesting module of Duqu 2.0 
is the
only language mistake we observed.

9       

http://www.fbi.gov/wanted/cyber/wang-dong/view

For any inquiries, please contact intelrepo...@kaspersky.com

44

The Duqu 2.0
Technical Details

Misspelling of the word “Exceeded” in Duqu 2.0.

Most interesting, one of the victims appear to have been infected both by the 
Equation
Group and by the Duqu group at the same time; this suggests the two entities are
different and competing with each other to obtain information from this victim.

Conclusions
During the 2011 Duqu attacks, we concluded that its main purpose could have 
been to
spy on Iran’s nuclear program. Some of the victims appear to have been 
“utilitary”, such
as one certificate authority in Hungary, which was compromised by Duqu and 
ultimately
that led to its discovery. The group behind Duqu hacks these “utilitary” 
victims in order to
gain certain technical abilities such as signing their malware with trusted 
certificates or to
serve as platforms for further attacks.
The 2014/2015 Duqu 2.0 appears to be a massive improvement over the older 
“Tilded”
platform, although the main orchestrator and C&C core remains largely 
unchanged. Back
in 2011 we pointed out to the usage of 10Object Oriented C as an unusual 
programming
technique. The 2014 version maintains the same core, although some new objects 
in
C++ have been added. The compiler used in the 2014 is newer and it results in 
different
code optimizations. Nevertheless, the core remains the same in functionality 
and it is
our belief it could not have been created by anyone without access to the 
original Duqu
source code. Since these have never been made public and considering the main 
interest
appears to have remained the same, we conclude the attackers behind Duqu and 
Duqu
2.0 are the same.
The targeting of Kaspersky Lab represents a huge step for the attackers and an 
indicator
of how quick the cyber-arms race is escalating. Back in 2011 and 2013 
respectively, 11RSA
and 12Bit9, were hacked by Chinese-language APT groups, however, such incidents
were considered rare. In general, an attacker risks a lot targeting a security 
company
– because they can get caught and exposed. The exact reason why Kaspersky Lab
was targeted is still not clear – although the attackers did seem to focus on 
obtaining
information about Kaspersky’s future technologies, Secure OS, anti-APT 
solutions, KSN
and APT research.

10       
https://securelist.com/blog/research/32354/the-mystery-of-duqu-framework-solved-7/
11       https://blogs.rsa.com/anatomy-of-an-attack/
12       https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/
For any inquiries, please contact intelrepo...@kaspersky.com

45

The Duqu 2.0
Technical Details

From a threat actor point of view, the decision to target a world-class 
security company
must be quite difficult. On one hand, it almost surely means the attack will be 
exposed –
it’s very unlikely that the attack will go unnoticed. So the targeting of 
security companies
indicates that either they are very confident they won’t get caught, or perhaps 
they don’t
care much if they are discovered and exposed. By targeting Kaspersky Lab, the 
Duqu
attackers have probably taken a huge bet hoping they’d remain undiscovered; and 
lost.
For a security company, one of the most difficult things is to admit falling 
victim to a
malware attack. At Kaspersky Lab, we strongly believe in transparency, which is 
why
we are publishing the information herein. For us, the security of our users 
remains the
most important thing – and we will continue to work hard to maintain your trust 
and
confidence.

References
1.       Duqu: A Stuxnet-like malware found in the wild 
https://www.crysys.hu/publications/
files/bencsathPBF11duqu.pdf
2.       Duqu: The Precursor to the next Stuxnet 
http://www.symantec.com/content/en/us/
enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_
next_stuxnet.pdf
3.       The Mystery of Duqu: Part One 
https://securelist.com/blog/incidents/31177/themystery-of-duqu-part-one-5/
4.       The Mystery of Duqu: Part Two 
https://securelist.com/blog/incidents/31445/themystery-of-duqu-part-two-23/
5.       The Mystery of Duqu: Part Three 
https://securelist.com/blog/incidents/31486/themystery-of-duqu-part-three-9/
6.       The Mystery of Duqu: Part Five 
https://securelist.com/blog/incidents/31208/themystery-of-duqu-part-five-6/
7.       The Mystery of Duqu: Part Six (The Command and Control Servers) 
https://securelist.
com/blog/incidents/31863/the-mystery-of-duqu-part-six-the-command-andcontrol-servers-36/
8.       The Mystery of Duqu: Part Ten 
https://securelist.com/blog/incidents/32668/themystery-of-duqu-part-ten-18/
9.       The Mystery of Duqu Framework Solved 
https://securelist.com/blog/research/32354/
the-mystery-of-duqu-framework-solved-7/
10.      The Duqu Saga Continues 
https://securelist.com/blog/incidents/31442/the-duqusaga-continues-enter-mr-b-jason-and-tvs-dexter-22/

For any inquiries, please contact intelrepo...@kaspersky.com

Securelist, the ressource
for Kaspersky Lab experts’
technical research, analysis
and thoughts

Kaspersky Lab B2C Blog

Kaspersky Lab security news
service

Eugene Kaspersky Blog

Kaspersky Lab
B2B Blog

Kaspersky Lab Academy

Kaspersky Lab, Moscow, Russia
www.kaspersky.com

All about Internet security:
www.securelist.com

Kaspersky Lab HQ

Follow us

39A/3 Leningradskoe Shosse
Moscow, 125212
Russian Federation
More contact details
Tel: +7-495-797-8700
Fax: +7-495-7978709

Find a partner near you:
www.kaspersky.com/buyoffline

Twitter.com/Kaspersky

Facebook.com/Kaspersky

Youtube.com/Kaspersky

© 2015 Kaspersky Lab. All rights reserved. Registered trademarks and service 
marks are the property of their respective owners.
Lotus and Domino are trademarks of International Business Machines Corporation, 
registered in many jurisdictions worldwide.
Linuxis the registered trademark of Linus Torvalds in the U.S. and other 
countries. Google is a registered trademark of Google, Inc.