Last week it was reported that Kaspersky Labs found Duqu 2.0, an upgraded variant of the Duqu malware, and that the new one is twice as dangerous and twice as sophisticated.
The latest analysis of samples related to Duqu 2.0 revealed that they were signed with legitimate digital certificates issued by Foxconn – a world leading electronics contract manufacturer, including customers like Blackberry, Apple, Sony and others.
The certificates were stolen from Foxconn, says Wired in a report.
Securelist analysed the Duqu 2.0 persistence module, and have said how the attackers “created an unusual persistence module which they deploy on compromised networks.”
“During their operations the Duqu threat actors install these malicious drivers on firewalls, gateways or any other servers that have direct Internet access on one side and corporate network access on other side,” says Securelist in a blog post. “By using them, they can achieve several goals at a time: access internal infrastructure from the Internet, avoid log records in corporate proxy servers and maintain a form of persistence after all.”
In essence, the drivers are redirecting network streams to and from the gateway machine that runs it. To forward connections, the attacker first has to pass a network-based “knocking” mechanism by using a secret keyword.
Stealing digital certificates and signing malware on behalf of legitimate businesses seems to be a regular trick from the Duqu attackers, Securelist says. There’s no confirmation that any of the vendors have been compromised, but it’s obvious that the Duqu attackers have a major interest in Foxconn.
Perhaps the scariest part of the whole attack is the fact that Duqu attackers never use same digital certificate twice.
“This would be extremely alarming because it effectively undermines trust in digital certificates,” Securelist concludes.