Governmental bodies within the Middle Eastern region find themselves under siege as part of an undisclosed initiative to deliver a fresh access route identified as CR4T.
As uncovered by the Russian cybersecurity enterprise Kaspersky in February of 2024, this campaign’s presence suggests potential activity dating back at least a year. This operation has been coined as DuneQuixote.
“The collective steering this endeavor has taken calculated measures to obstruct the gathering and scrutiny of its implants and has executed practical and finely-crafted evasion strategies, both within network interactions and the malicious software itself,” remarked Kaspersky.
The incursion’s point of origin resides in a dropper, which manifests in two variations: a standard dropper, either instantiated as an executable or a DLL document, and an adulterated installer file for a genuine utility known as Total Commander.
Irrespective of the chosen method, the fundamental role of the dropper involves extracting an embedded command-and-control (C2) location, decrypted through an innovative method to safeguard the server address from detection by automated malware assessment utilities.
In precise terms, this process entails acquiring the filename of the dropper and amalgamating it with one of many hardcoded excerpts derived from Spanish poetry within the dropper’s codebase. The malicious software then computes the MD5 hash of the amalgamated string, which serves as the decryption key for the C2 server address.
Subsequently, the dropper initiates connections with the C2 server and retrieves a subsequent-stage payload, contingent upon presenting a hardcoded ID as the User-Agent string within the HTTP request.
“The payload remains inaccessible for retrieval unless the correct user agent is supplied,” noted Kaspersky. “Moreover, it seems the payload may only be retrieved once per target or is only accessible for a brief duration post the dissemination of a malware specimen into the wild.”
The corrupted Total Commander installer, conversely, exhibits a few distinctions while preserving the core functionality of the original dropper.
It dispenses with the Spanish poem strings and incorporates additional anti-analysis checks that obstruct a connection to the C2 server if a debugger or monitoring tool is present, the cursor’s position remains unchanged after a certain period, the available RAM is below 8 GB, and the disk capacity is under 40 GB.
CR4T (“CR4T.pdb”) represents a memory-exclusive implant written in C/C++, providing intruders with access to a console for executing commands via the compromised system, executing file operations, and transferring files following communication with the C2 server.
Kaspersky also revealed the existence of a Golang iteration of CR4T with identical capabilities, alongside the capacity to execute arbitrary commands and craft scheduled tasks utilizing the Go-ole library.
Furthermore, the Golang CR4T backdoor is equipped to establish persistence by exploiting the COM objects hijacking technique and harnessing the Telegram API for C2 communications.
The presence of the Golang variant indicates that the unidentified malevolent actors behind DuneQuixote are actively honing their skill set with cross-platform malware.
“The ‘DuneQuixote’ operation sets its sights on entities within the Middle East, employing an intriguing suite of tools crafted for stealth and endurance,” remarked Kaspersky.
“By deploying memory-exclusive implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, the assailants exhibit capabilities and strategies above the norm in evading detection.”
