Skip to main content

Duqu 2.0 malware undermines trust in digital certificates

Last week it was reported that Kaspersky Labs found Duqu 2.0, an upgraded variant of the Duqu malware, and that the new one is twice as dangerous and twice as sophisticated.

The latest analysis of samples related to Duqu 2.0 revealed that they were signed with legitimate digital certificates issued by Foxconn – a world leading electronics contract manufacturer, including customers like Blackberry, Apple, Sony and others.

The certificates were stolen from Foxconn, says Wired (opens in new tab)in a report.

Securelist analysed the Duqu 2.0 persistence module, (opens in new tab) and have said how the attackers “created an unusual persistence module which they deploy on compromised networks.”

“During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on other side,” says Securelist in a blog post. “By using them, they can achieve several goals at a time: access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.”

In essence, the drivers are redirecting network streams to and from the gateway machine that runs it. To forward connections, the attacker first has to pass a network-based “knocking” mechanism by using a secret keyword.

Stealing digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers, Securelist says. There’s no confirmation that any of the vendors have been compromised, but it’s obvious that the Duqu attackers have a major interest in Foxconn.

Perhaps the scariest part of the whole attack is the fact that Duqu attackers never use same digital certificate twice.

“This would be extremely alarming because it effectively undermines trust in digital certificates,” Securelist concludes.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.