ThreatPost – Duqu 2.0 Attackers Used Stolen Foxconn Certificate to Sign Driver

What is RTO and RPO and why should I care? Part One

The attackers behind the recently disclosed Duqu 2.0 APT have used stolen digital certificates to help sneak their malware past security defenses, and one of the certificates used in the attacks was issued to Foxconn, the Chinese company that manufactures products for Apple, BlackBerry, Dell, and many other companies.

Researchers at Kaspersky Lab, who discovered the Duqu 2.0 campaign, said Monday that the certificate was used to sign a driver that the attackers employed as part of their technique to get malicious traffic in and out of compromised networks. Because the Duqu 2.0 malware doesn’t have a typical persistent mechanism, the attackers used a variety of methods for ensuring they could access target systems as needed. One of those techniques involves the attackers installing malicious drivers on network gear, including firewalls, and then using them to redirect traffic to a specific set of ports.

“The attackers created an unusual persistence module which they deploy on compromised networks. It serves a double function – it also supports a hidden C&C communication scheme. This organization-level persistence is achieved by a driver that is installed as a normal system service. On 64-bit systems, this implies a strict requirement for an Authenticode digital signature. We have seen two such persistence drivers deployed in the course of attacks,” an analysis from the Kaspersky researchers says.

More of the Threatpost blog entry

About Tony Johnson

Innovative helps you balance your business requirements, service levels, staff and infrastructure to make your IT as effective as possible. Tony Johnson is Vice President of Operations at Innovative and has been helping clients optimize their IT spend and operations since 1983.

Leave a Reply

Innovative Integration can help you optimize your IT infrastructure. Request a Consultation