A recent revelation by Russian cybersecurity firm Kaspersky sheds light on a covert cyber campaign dubbed DuneQuixote, which has been clandestinely targeting government bodies in the Middle East. This campaign involves the deployment of a newly identified backdoor called CR4T.
Kaspersky’s investigation, initiated in February 2024, suggests that the operation might have been underway for at least a year prior. The perpetrators have taken sophisticated measures to evade detection, employing intricate methods to shield their implants from scrutiny and analysis.
The attack commences with a dropper, available in two versions: a standard executable or a DLL file, and a manipulated installer for a legitimate software tool called Total Commander. Regardless of the variant, the dropper’s main task is to extract a concealed command-and-control (C2) address, utilizing a unique decryption technique to obfuscate the server’s location and thwart automated malware analysis tools.
The decryption process involves combining the dropper’s filename with snippets of Spanish poetry embedded in its code, followed by calculating an MD5 hash to decode the C2 server address. Upon successful decryption, the dropper establishes connections with the C2 server and fetches a subsequent payload, employing a hardcoded ID as the User-Agent string in HTTP requests.
Kaspersky no
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: