“After last week’s revelation that their corporate network has been hit by APT actors wielding a newer version of the infamous, Stuxnet-related Duqu attack toolkit, Kaspersky Lab researchers have shared more details about how the attackers achieved persistence in it.
“The attackers created an unusual persistence module which they deploy on compromised networks. This organization-level persistence is achieved by a driver that is installed as a normal system service,” they explained.
“During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on other side. By using them, they can achieve several goals at a time: access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.”
When it comes to 64-bit systems, these drivers must be signed with a valid digital signature in order to be installed. But this was obviously not a problem for attackers, who used the same, valid signature to sign the 64-bit drivers the researchers analyzed.
The driver was signed with legitimate signatures issued to “HON HAI PRECISION INDUSTRY CO. LTD”, i.e. Foxconn Technology Group.”
Foxconn, as many know, is one of the worlds largest electronics manufacturers, and numbers Apple, Dell, Google, Cisco, Microsoft, HP and many other tech giants as customers.
This particular signature was used back in 2013 to sign a number of kernel drivers for Dell laptops, and since then just one more time: in these latest attacks.
The researchers pointed out these attackers’ predilection for using stolen software digital certs to sign their malware – they did it before by using certs issued to hardware manufacturers Jmicron and Realtek for signing components of Stuxnet and earlier versions of Duqu.
“We have no confirmation that any of these vendors have been compromised but our indicators definitely show that the Duqu attackers have a major interest in hardware manufacturers such as Foxconn, Realtek and Jmicron. This was confirmed in the 2014/2015 attacks, when we observed infections associated with hardware manufacturers from APAC, including ICS and SCADA computer equipment manufacturers,” the researchers noted.
It’s also interesting that the attackers never use the same certificates twice. The researchers posit that that’s because they have a bunch of them ready for use. This would be extremely alarming because it effectively undermines trust in digital certificates,” they noted.”