Kaspersky researchers have discovered an ongoing malicious campaign initially targeting a governmental entity in the Middle East. Further investigation uncovered more than 30 malware dropper samples actively employed in this campaign, allegedly expanding the victimology to APAC, Europe and North America. Dubbed DuneQuixote, the malware strings incorporate snippets taken from Spanish poems to enhance persistence and evade detection, with the ultimate goal of cyber espionage.
As part of ongoing monitoring of malicious activity, Kaspersky experts uncovered a previously unknown cyber espionage campaign in February 2024, targeting a governmental entity in the Middle East. The attacker covertly spied on the target and harvested sensitive data using a sophisticatedly crafted array of tools designed for stealth and persistence.
The malware’s initial droppers disguise themselves as tampered installer files for a legitimate tool named Total Commander. Within these droppers, strings from Spanish poems are embedded, with different strings from one sample to another. This variation aims to alter the signature of each sample, making detection by traditional methodologies more challenging.
Embedded within the dropper is malicious code designed to download additional payloads in the form of a backdoor named CR4T. These backdoors, developed in C/C++ and GoLang, aim to grant attackers access to the victim’s machine. Notably, the GoLang variant utilizes the Telegram API for C2 communications, implementing public Golang telegram API bindings.
“The variations of the malware showcase the adaptability and resourcefulness of the threat actors behind this campaign. At the moment, we have discovered two such implants, yet we strongly suspect the existence of additional ones,” comments Sergey Lozhkin, principal security researcher at Kaspersky’s GReAT (Global Research and Analysis Team).
Kaspersky telemetry identified a victim in the Middle East as early as February 2024. Additionally, several uploads of the same malware to a semi-public malware scanning service occurred at the end of 2023, with more than 30 submissions. Other sources suspected to be VPN exit nodes are located in South Korea, Luxembourg, Japan, Canada, the Netherlands, and the U.S.
