14 DAY TRIAL // The new generation of advanced threat Duqu that hit Kaspersky Lab is meaner than ever and its intelligence gathering modules were deployed against select targets across the world, telecommunication operators being several of the victims it made.
Signs of the new variant of this cyber-espionage platform, dubbed Duqu 2, were seen in 2014, following an absence on the security stage of about two years.
Companies in Europe and North Africa impacted
The Russian-based security company is not the only one tracking the activity of this threat actor, as Symantec also released information about new attacks, noting that they were directed against a small number of victims, including telecom operators in Europe and North Africa, as well as a Southeast Asian electronic equipment manufacturer.
Computers infected with Duqu 2 were also identified in the US, UK, Sweden, India, and Hong Kong, according to telemetry data from Symantec. Kaspersky places Russia on the list as well.
The company says that the group’s interest in telecom operators may be connected to attempts to spy on key targets using the networks.
The average user should have no worry about getting infected with Duqu because the malware is reserved to high-profile targets.
Kaspersky says that infections have been noticed at locations where high-level talks were held about negotiations with Iran about a nuclear deal.
“Given the diversity of targets, Symantec believes that the Duqu attackers have been involved in multiple cyberespionage campaigns. Some organizations may not be the ultimate targets of the group’s operations, but rather stepping stones towards the final target,” Symantec noted in a blog post on Wednesday.
Disinfection does not require a security solution
The malware comes in two flavors, one is a backdoor for continuous access to the victims’ computers and the other contains multiple modules for collecting intelligence, network mapping and infection, and communication with a command and control (C&C) server.
Researchers say that compared to the previous variant of the platform, the new one is more sophisticated. One difference is that it does not leave any trace on the disk, which makes it more difficult to detect on a compromised system.
This feat is achieved by lodging itself in the memory of the computer. Cleaning malware residing in RAM does not require a security solution and only demands rebooting the machine, because RAM does not offer persistent storage.
However, by spreading across the network, Duqu can re-infect a system that has been restarted. During a press conference in London on Wednesday, Eugene Kaspersky said that to make sure Duqu is removed from the infrastructure, a company should turn off all its computer systems.
Detection has already been added by both Symantec and Kaspersky, and at the moment it is likely that the operators will halt activity in order to create a new malware piece.