Further investigation uncovered more than 30 malware dropper samples actively employed in this campaign.
April 2024: Kaspersky researchers have discovered an ongoing malicious campaign initially targeting a governmental entity in the Middle East. Further investigation uncovered more than 30 malware dropper samples actively employed in this campaign, allegedly expanding the victimology to APAC, Europe, and North America. Dubbed DuneQuixote, the malware strings incorporate snippets taken from Spanish poems to enhance persistence and evade detection, with the ultimate goal of cyber espionage.
As part of ongoing monitoring of malicious activity, Kaspersky experts uncovered a previously unknown cyber espionage campaign in February 2024, targeting a governmental entity in the Middle East. The attacker covertly spied on the target and harvested sensitive data using a sophisticatedly crafted array of tools designed for stealth and persistence.
The malware’s initial droppers disguise themselves as tampered installer files for a legitimate tool named Total Commander. Within these droppers, strings from Spanish poems are embedded, with different strings from one sample to another. This variation aims to alter the signature of each sample, making detection by traditional methodologies more challenging.
Embedded within the dropper is malicious code designed to download additional payloads in the form of a backdoor named CR4T. These backdoors, developed in C/C++ and GoLang, aim to grant attackers access to the victim’s machine. Notably, the GoLang variant utilizes the Telegram API for command and control communications, implementing public Golang telegram API bindings.
“The variations of the malware showcase the adaptability and resourcefulness of the threat actors behind this campaign. At the moment, we have discovered two such implants, yet we strongly suspect the existence of additional ones,” comments Sergey Lozhkin, principal security researcher at Kaspersky’s Global Research and Analysis Team.
Kaspersky telemetry identified a victim in the Middle East as early as February 2024. Additionally, several uploads of the same malware to a semi-public malware scanning service occurred at the end of 2023, with more than 30 submissions. Other sources suspected to be VPN exit nodes are located in South Korea, Luxembourg, Japan, Canada, the Netherlands, and the U.S.
To learn more about the new DuneQuixote campaign, visit Securelist.com.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by Global Research and Analysis Team experts.
- For endpoint-level detection, investigation, and timely remediation of incidents, implement security solutions such as Kaspersky Next.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as the Kaspersky Anti-Target Attack Platform.
- As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team—for example, through the Kaspersky Automated Security Awareness Platform.
Also read: Nurturing Responsible Online Behavior in Students by Building a Culture of Digital Citizenship
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.