“The malware used in this case is, however, not a version of MiniDuke. It is instead a separate, distinct family of malware that we have since taken to calling OnionDuke,” say F-Secure researchers.
“When a user attempts to download an executable via the malicious Tor exit node, what they actually receive is an executable ‘wrapper’ that embeds both the original executable and a second, malicious executable,” they explained. “By using a separate wrapper, the malicious actors are able to bypass any integrity checks the original binary might contain. Upon execution, the wrapper will proceed to write to disk and execute the original executable, thereby tricking the user into believing that everything went fine. However, the wrapper will also write to disk and execute the second executable.”
The malware attempts to connect to C&C URLs hardcoded in the configuration file – all five C&C domains seem legitimate, but compromised by the attackers – and if it succeeds, it downloads additional malicious components onto the infected computer.
The attackers are after data: login credentials, system and software information, and so on.
The thing that made the researchers tie this particular campaign to the MiniDuke-wielding APT group is the fact that one of the components contacts a domain registered in 2011 by a person (using an alias) that registered a host of other domains that have, since then, been used as C&C domains by MiniDuke.
“Based on compilation timestamps and discovery dates of samples we have observed, we believe the OnionDuke operators have been infecting downloaded executables at least since the end of October 2013. We also have evidence suggesting that, at least since February of 2014, OnionDuke has not only been spread by modifying downloaded executables but also by infecting executables in .torrent files containing pirated software,” the researchers noted.
“However, it would seem that the OnionDuke family is much older, both based on older compilation timestamps and also on the fact that some of the embedded configuration data make reference to an apparent version number of 4 suggesting that at least three earlier versions of the family exist.”
What’s also interesting to note is that apart hitting random Tor users, OnionDuke has also been slung at European government agencies via a targeted attack (the infection vector is still unknown).
It would seem that the APT group also engages in lowly cyber crime attacks against random Internet users, perhaps as a way to pad their own bank accounts in the pauses between cyber espionage campaigns.
“It’s never a good idea to download binaries via Tor (or anything else) without encryption. The problem with Tor is that you have no idea who is maintaining the exit node you are using and what their motives are,” the researchers noted, and advised users to use VPNs to protect their connection all the way through the Tor network.