Kaspersky researchers have discovered an ongoing malicious campaign initially targeting a governmental entity in the Middle East. Further investigation uncovered more than 30 malware dropper samples actively employed in this campaign, allegedly expanding the victimology to APAC, Europe and North America. Dubbed DuneQuixote, the malware strings incorporate snippets taken from Spanish poems to enhance persistence and evade detection, with the ultimate goal of cyber espionage.
As part of ongoing monitoring of malicious activity, Kaspersky experts uncovered a previously unknown cyber espionage campaign in February 2024, targeting a governmental entity in the Middle East. The attacker covertly spied on the target and harvested sensitive data using a sophisticatedly crafted array of tools designed for stealth and persistence.
The malware’s initial droppers disguise themselves as tampered installer files for a legitimate tool named Total Commander. Within these droppers, strings from Spanish poems are embedded, with different strings from one sample to another. This variation aims to alter the signature of each sample, making detection by traditional methodologies more challenging.
Embedded within the dropper is malicious code designed to download additional payloads in the form of a backdoor named CR4T. These backdoors, developed in C/C++ and GoLang, aim to grant attackers access to the victim’s machine. Notably, the GoLang variant utilizes the Telegram API for C2 communications, implementing public Golang telegram API bindings.
“The variations of the malware showcase the adaptability and resourcefulness of the threat actors behind this campaign. At the moment, we have discovered two such implants, yet we strongly suspect the existence of additional ones,” comments Sergey Lozhkin, principal security researcher at Kaspersky’s GReAT (Global Research and Analysis Team).
Kaspersky telemetry identified a victim in the Middle East as early as February 2024. Additionally, several uploads of the same malware to a semi-public malware scanning service occurred at the end of 2023, with more than 30 submissions. Other sources suspected to be VPN exit nodes are located in South Korea, Luxembourg, Japan, Canada, the Netherlands, and the U.S.
To learn more about the new DuneQuixote campaign, visit Securelist.com.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
- For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
- As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform