‘DuneQuixote’ shows stealth cyberattack methods are evolving. Can defenders keep up?

If a recent wily cyber-espionage campaign against Middle Eastern government entities is any indication, cyber defenders will need to upgrade their malware detection capabilities soon.

Cybersecurity, the trope goes, is a cat-and-mouse game. Companies move to Linux and macOS, so attackers follow them there. Attackers deliver malware in phishing attachments, so Microsoft blocks Internet macros, so attackers adjust. As cybersecurity tooling grows stronger, attackers’ methods for circumventing them grow more creative and effective.

So it was that in February, Kaspersky researchers discovered a threat actor spying on a Middle Eastern government organization. By the time Kaspersky reached the attack, at least 30 infections had already been recorded against other organizations, primarily around the Middle East. Despite that, the campaign — dubbed “DuneQuixote” — had managed to remain obscured for at least a year, thanks in large part to a combination of classic and novel stealth techniques.

As experts are quick to point out, cyberattackers across the board have been upgrading their stealth. Perhaps they’re once again gaining the edge?

“It’s absolutely trivial to create new malware that evades anti-malware detection,” says David Brumley, cybersecurity professor at Carnegie Mellon and CEO of ForAllSecure. “Even ‘advanced’ behavioral analysis is pretty easy to fool with a few tricks. That means there is a huge volume of malware that would need manual analysis to really figure out what is happening. And of course, with all the custom tricks, that makes it really hard to do.”

DuneQuixote and Spanish Poetry

The DuneQuixote campaign consists of two separate malware droppers and two separate payloads.

One dropper mimics the Total Commander software installer, packaging the legitimate software with its malicious contribution. Once inside a targeted machine, it runs through a series of anti-analysis checks, including, for example, whether any known security software is present on the device. Should any of its checks fail, the malware will return a value of “1,” which has a coded meaning. When it comes time to decrypt the attackers’ command-and-control (C2) server address, the 1 value will remove the “h” from “https,” so that the C2 URL will begin with only “ttps,” and no connection will be made at all.

The second DuneQuixote dropper is even more clever. When executed, its first act is to make a series of application programming interface (API) calls which at first appear to serve no actual purpose. Instead they contain strings with snippets from Spanish poems, which have a secret effect. Each instance of the dropper contains different lines of poetry, which earns each instance its own, unique signature. This makes things difficult for simple detection solutions, which rely on common signatures to identify new instances of known malware.

To read the complete article, visit Dark Reading.