Security Researchers of Leviathan Security Group discovered a malicious Tor exit node that wraps Windows executable files inside a second, malicious Windows executable.When Artturi Lehtiö of F-secure made a deep research he found that the exit node was actually linked to the notorious Russian APT family MiniDuke.
MiniDuke which previously infected government agencies and organisation in more than 20 countries through a modified PDF email attachment. MiniDuke malware is written in assembly language and usually it is very small in size.
The rogue Russian exit node identified by Pitts was banned from the Tor network, but the new research carried out by F-Secure has revealed that the malicious Tor exit node is specifically being used to plant a new variant of the MiniDuke advanced persistent threat (APT) malware which the researcher has dubbed 'OnionDuke'.
However OnionDuke is completely different malware family from MiniDuke.The relation was found beacuse both seemed to use the same Command and Control (C&C) chain.
“This strongly suggests that although OnionDuke and MiniDuke are two separate families of malware, the actors behind them are connected through the use of shared infrastructure,” F-Secure researchers said in a blog post.Malware has the ability to steal login credentials from the victim machine and components dedicated to gathering further information on the compromised system like the presence of antivirus software or a firewall.
During our research, we have also uncovered strong evidence suggesting that OnionDuke has been used in targeted attacks against European government agencies, although we have so far been unable to identify the infection vector(s). Interestingly, this would suggest two very different targeting strategies. On one hand is the "shooting a fly with a cannon" mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT operations.
According to security researchers when victim attempts to download an executable via the malicious Tor exit node, what they actually receive is an executable "wrapper" that embeds both the original executable and a second, malicious executable.
Upon execution, the wrapper will proceed to write to disk and execute the original executable, thereby tricking the user into believing that everything went fine. However, the wrapper will also write to disk and execute the second executable.Those who use Tor anonymity network and download executable from an HTTPS-protected server and those using a virtual private network were not affected by the malware.
Post a Comment