Duqu

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [1]

ID: S0038
Type: MALWARE
Platforms: Windows

Version: 1.1

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationDuqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges.[2]
EnterpriseT1087Account DiscoveryThe discovery modules used with Duqu can collect information on accounts and permissions.[1]
EnterpriseT1010Application Window DiscoveryThe discovery modules used with Duqu can collect information on open windows.[1]
EnterpriseT1043Commonly Used PortDuqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.[1]
EnterpriseT1090Connection ProxyDuqu can be configured to have commands relayed over a peer-to-peer network of infected hosts if some of the hosts do not have Internet access.[1]
EnterpriseT1094Custom Command and Control ProtocolDuqu is capable of using its command and control protocol over port 443. However, Duqu is also capable of encapsulating its command protocol over standard application layer protocols. The Duqu command and control protocol implements many of the same features as TCP and is a reliable transport protocol.[1]
EnterpriseT1002Data CompressedModules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.[1]
EnterpriseT1022Data EncryptedModules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.[1]
EnterpriseT1001Data ObfuscationWhen the Duqu command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.[1]
EnterpriseT1074Data StagedModules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.[1]
EnterpriseT1056Input CaptureDuqu can track key presses with a keylogger module.[1]
EnterpriseT1050New ServiceDuqu creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.[1]
EnterpriseT1057Process DiscoveryThe discovery modules used with Duqu can collect information on process details.[1]
EnterpriseT1093Process HollowingDuqu is capable of loading executable code via process hollowing.[1]
EnterpriseT1055Process InjectionDuqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).[1]
EnterpriseT1053Scheduled TaskAdversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.[1]
EnterpriseT1218Signed Binary Proxy ExecutionDuqu has used msiexec to execute malicious Windows Installer packages. Additionally, a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages.[2]
EnterpriseT1071Standard Application Layer ProtocolDuqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.[1]
EnterpriseT1032Standard Cryptographic ProtocolThe Duqu command and control protocol's data stream can be encrypted with AES-CBC.[1]
EnterpriseT1016System Network Configuration DiscoveryThe reconnaissance modules used with Duqu can collect information on network configuration.[1]
EnterpriseT1049System Network Connections DiscoveryThe discovery modules used with Duqu can collect information on network connections.[1]
EnterpriseT1078Valid AccountsAdversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.[1]
EnterpriseT1077Windows Admin SharesAdversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.[1]

References