Government bodies in the Middle East were targeted as part of a previously undocumented campaign to deliver a new backdoor called CR4T.
Russian cybersecurity firm Kaspersky said it discovered the activity in February 2024, with evidence suggesting it may have been active for at least a year before that. The campaign has a code name DuneQuixote.
“The group behind the campaign has taken measures to prevent collection and analysis of its implants and has implemented practical and well-designed evasion methods in both network communications and malware code,” Kaspersky said.
The starting point of the attack is a dropper, which comes in two variants: a normal dropper implemented as an executable file or DLL, and a tampered installation file for a legitimate tool called Total Commander.
Regardless of the method used, the dropper’s primary function is to extract an embedded command and control (C2) address that is decrypted using a new technique to prevent the server address from being exposed to automated malware analysis tools.
Specifically, it involves getting the name of the dropper’s file and merging it together with one of the many encoded fragments of Spanish poems present in the dropper’s code. The malware then calculates the MD5 hash of the combined string, which serves as a key to decode the C2 server address.
The dropper subsequently establishes connections with the C2 server and downloads a next-stage payload after providing a hardcoded ID as the User-Agent string in the HTTP request.
“The payload remains inaccessible for download unless the correct user agent is provided,” Kaspersky said. “Furthermore, it appears that the payload can only be downloaded once per victim or is only available for a short time after a malware sample is released into the wild.”
The Trojan-containing Total Commander installer, on the other hand, has some differences despite maintaining the core functionality of the original dropper.
Eliminates Spanish poetry strings and implements additional anti-parsing checks that prevent connection to the C2 server if a debugger or monitoring tool is installed in the system, the cursor position does not change after a certain time, the amount The amount of RAM available is less than 8 GB, and the disk capacity is less than 40 GB.
CR4T (“CR4T.pdb”) is a C/C++-based memory-only implant that grants attackers access to a console to execute command line execution on the infected machine, perform file operations, and upload and download files after contacting the C2 server.
Kaspersky said it had also discovered a Golang version of CR4T with identical characteristics, as well as possessing the ability to execute arbitrary commands and create scheduled tasks using the Go-ole library.
Besides that, the Golang CR4T backdoor is equipped to achieve persistence using the COM object hijacking technique and leveraging the Telegram API for C2 communications.
The presence of the Golang variant indicates that the unidentified threat actors behind DuneQuixote are actively honing their business prowess with cross-platform malware.
“The ‘DuneQuixote’ campaign targets Middle Eastern entities with an interesting array of tools designed for stealth and persistence,” Kaspersky said.
“Through the deployment of memory-only implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, attackers demonstrate above-average evasion capabilities and techniques.”