What is Duqu Malware?

Duqu is a family of computer malware that is considered to be linked to the Stuxnet worm. Duqu has taken advantage of a zero-day vulnerability in Microsoft Windows.

  • Duqu virus is made up of a number of software components that work together to help the attackers. This includes information-stealing capabilities, kernel drivers, and injection tools that run in the background.

  • A portion of this malware is written in the "Duqu framework," an unnamed high-level programming language. It's not C++, Python, Ada, Lua, or any of the other languages that have been tested. However, it's possible that Duqu was developed in C and compiled in Microsoft Visual Studio 2008 using a bespoke object-oriented framework.

How Does Duqu Work?

Duqu is a zero-day kernel attack delivered as a Microsoft Word document. When the Microsoft Word file is exploited, it dumps the installer files that load the remaining DUQU components.

The following are the files that make up the installer −

  • RTKT_DUQU.A (SYS file)

  • TROJ_DUQU.ENC (encrypted DLL file; decrypted version detected as TROJ_DUQU.DEC)

  • TROJ_DUQU.CFG (configuration file)

RTKT DUQU.A decrypts a configuration file located in its body upon execution to obtain the registry path containing the location of TROJ DUQU.ENC, as well as the process into which TROJ DUQU.ENC will be injected.

TROJ DUQU.RTKT DUQU decrypts ENC. Once it has been located. The decryption will produce a DLL file named TROJ DUQU.DEC, which will be discovered. Once loaded, TROJ DUQU.DEC goes to TROJ DUQU.CFG to get information about its routines. TROJ DUQU.DEC is set to use the sites kasperskychk.dyndns.org and www.microsoft.com to check for an Internet connection, according to TROJ DUQU.CFG. TROJ DUQU.DEC will also inject itself into the following processes if it is identified executing on the affected system −

  • explorer.exe
  • firefox.exe
  • Iexplore.exe

As per the completion of the routines mentioned above, TROJ DUQU.DEC is able to communicate with its command-and-control server and receive commands. The nature of the delivered orders is unknown, but it has been alleged that they include uploading further malware onto the infected system.

Purpose of Duqu

Duqu is on the lookout for data that could be used in a cyber-attack on industrial control systems. The known components are attempting to gather information, not to be damaging. However, due to Duqu's modular nature, a specific payload might be used to attack any type of computer system by any method, potentially allowing for cyber-physical attacks.

However, its use on personal computer systems has been discovered to destroy all recent information input on the system and the entire hard disk in some situations. Symantec has examined Duqu's internal communications, but the specific technique by which it replicates inside an infected network is unknown.

Duqu 2.0 Targeted Attacks

Duqu 2.0 is a sophisticated malware platform that exploits up to three zero-day vulnerabilities and has been linked to P5+1 events and venues for high-level talks with world leaders. The assaults included some previously unknown aspects, such as code that only existed in operative memory. It was virtually undetectable.

Experts at Kaspersky Lab discovered Duqu 2.0 after an effort to break into the company's internal network. The researchers discovered the complex strain of malware while testing a new tool designed to detect advanced persistent threats, which was a happy accident.

Duqu 2.0 makes use of advanced evasive strategies. It is difficult to detect because it is stored in memory. Duqu's updated version no longer writes data to the victim's hard drive. According to Symantec experts, Duqu 2.0 has two variants: one is a backdoor that appears to be used to gain persistence in the targeted entity by infecting multiple computers, and the second variant reflects its development and has more advanced capabilities.

Updated on: 09-Jun-2022


Kickstart Your Career

Get certified by completing the course

Get Started