Government Entities In The Middle East Targeted With DuneQuixote Dropper And CR4T Malware

A malware campaign dubbed DuneQuixote was detected primarily targeting Middle Eastern governments. The campaign used a total of over 30 dropper samples which included a tainted installer that mimicked legitimate software named Total Commander to deploy a backdoor malware known as CR4T.Analysis of the initial droppers revealed that is was developed in C/C++ without using the Standard Template Library (STL) and pure Assembler. Upon execution a series of decoy dynamic API call resolutions were used to disguise activities before some unique techniques designed to prevent exposure of the C2 by automated malware analysis tools were used to decrypt the C2 addresses and further hinder analysis. The second installer dropper analyzed was a Total Commander imposter which incorporated other evasion techniques like system checks against debugging and system monitoring tools as well as the adaptability to be reactive to system conditions like RAM and disk space. Lastly an in memory only CR4T implant was analyzed which was designed to grant attackers access to a console window for command line execution on the victims machine the CR4T implant is written in both a C/C++ and Golang version. Upon execution the malware initiates cmd.exe in a hidden window and establishes two named pipes that allow inter-process communication the malware collects system info and remains idle until upload of data is requested or encoded commands are received.