Duqu 2.0 Technical Analysis

Last month, Kaspersky released a report for Duqu 2.0, which was used to compromise Kaspersky Lab.

The following sequence summarizes the attack.

The attack utilized MS14-068, CVE-2014-6324 Elevation of Privilege Vulnerability in Kerberos KDC.

The exploit allows an unprivileged domain user to elevate the privileges to that of a Domain Admin.

The attacker as a Domain Admin, was able to launch the malicious MSI packages remotely to other systems.

Pass The Hash Technique was also observed to be used, in order to move laterally. Using this technique, the attacker was able to dump the user hashes and steal them to perform NTLM authentication without providing the password.

This was a vulnerability in win32k.sys kernel-mode driver that allows a local user to gain privilege escalation or memory corruption.

Lets take a look at some of the interesting patterns in the Malware Disassembly

Here we can see some interesting strings like HTTP Methods, HTTP Headers., content-type.

Here we can see the use of Proxy Headers too.

This shows the exported functions used by one of the DLLs.

Here we can see how MsiGetProperty pulls the values of PROP and HASHVAL which are later used for decrypting and loading other binaries.

Here we can see how proxy authentication is used in the disassembly.

We can observe the CONNECT Method too.

Kaspersky has released a bunch of IOCs which indicate the presence of the attack.

Since Microsoft has already patched the Vulnerabilities used in the attack, make sure your systems are fully patched. The sophistication of this attack calls for a much more sophisticated Security Platform that can identify, detect and remediate such an attack at an early stage.