Hackers hit Middle East government agencies with CR4T backdoor

The DuneQuixote campaign revolves around a newly unearthed backdoor dubbed CR4T to execute an elusive campaign that infiltrates sensitive networks of Middle East-based government agencies.

Based on reports, the activity was first detected earlier this year, although evidence suggests it may have been operational for over a year already. Researchers noted that this campaign is unlike other operations since it leverages sophisticated evasion tactics meticulously crafted to thwart detection and analysis.

 

Hackers deploy the new CR4T backdoor through an intricate process.

 

The modus operandi of the CR4T backdoor operators begins with a dropper, available in two variants: a conventional executable or a DLL file and a modified installer for the legitimate software, Total Commander. These droppers are ingeniously designed to obfuscate the command-and-control (C2) server address, making them resilient against automated analysis tools.

The decryption process of the C2 address involves a unique method. By combining the filename of the dropper with excerpts from Spanish poems hardcoded into the malware, the attackers generate an MD5 hash, serving as the key to unlock the C2 server address. This tactic ensures that even if the malware is dissected, the C2 server remains hidden.

Once connected to the C2 server, the malware downloads a subsequent payload, but with a catch. Access to the payload is restricted unless the correct User-Agent string is provided, adding a layer of complexity to thwart detection. Moreover, the payload seems to have a one-time download capability per victim or is accessible only for a limited period, further complicating analysis efforts.

Furthermore, the attackers have also tampered with the installer of Total Commander, incorporating anti-analysis mechanisms to bypass security detection. These mechanisms include checks for the presence of debugging tools, cursor movement, system memory, and disk capacity, ensuring the malware remains undetected on targeted systems.

CR4T, the primary backdoor deployed in this campaign, enables attackers to execute commands, perform file operations, and establish communication with the C2 server. Notably, separate research identified a Golang variant of CR4T, indicating the attackers’ efforts to diversify their arsenal and target cross-platform environments.

Using memory-only implants and droppers disguised as legitimate software is the latest example of how attackers become proficient in evasion techniques. By leveraging these advanced tactics, the perpetrators behind the DuneQuixote campaign have demonstrated their ability to infiltrate and persist within targeted networks.

In conclusion, the DuneQuixote campaign represents a significant threat to governmental entities in the Middle East. These targeted entities should improve their defences to counteract the threat posed by these cyber criminals.