# The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns **[securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/](https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/)** [APT reports](https://securelist.com/category/apt-reports/) [APT reports](https://securelist.com/category/apt-reports/) 10 Jun 2015 minute read ----- Authors GReAT ## New zero-day used for effective kernel memory injection and stealth Earlier this year, during a security sweep, Kaspersky Lab detected a cyber-intrusion affecting several of our internal systems. Following this finding, we launched a large scale investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful groups in the APT world – Duqu. The Duqu threat actor went dark in 2012 and was believed to have stopped working on this project – until now. Our technical analysis indicates the new round of attacks include an updated version of the infamous 2011 Duqu malware, sometimes referred to as the stepbrother of Stuxnet. We named this new malware and its associated platform “Duqu 2.0”. [Some of the new 2014-2015 Duqu infections are linked to the P5+1 events and venues](https://www.whitehouse.gov/issues/foreign-policy/iran-negotiations) related to the negotiations with Iran about a nuclear deal. The threat actor behind Duqu appears to have launched attacks at the venues for some of these high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. ----- In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our [technical paper.](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf) From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost. At Kaspersky Lab, we strongly believe in transparency, which is why we are going public with this information. Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services. ## Duqu 2.0 – Indicators of Compromise (IOCs) ### MD5s **Action loaders:** 089a14f69a31ea5e9a5b375dc0c46e45 16ed790940a701c813e0943b5a27c6c1 26c48a03a5f3218b4a10f2d3d9420b97 a6dcae1c11c0d4dd146937368050f655 acbf2d1f8a419528814b2efa9284ea8b c04724afdb6063b640499b52623f09b5 e8eaec1f021a564b82b824af1dbe6c4d 10e16e36fe459f6f2899a8cea1303f06 48fb0166c5e2248b665f480deac9f5e1 520cd9ee4395ee85ccbe073a00649602 7699d7e0c7d6b2822992ad485caacb3e 84c2e7ff26e6dd500ec007d6d5d2255e 856752482c29bd93a5c2b62ff50df2f0 85f5feeed15b75cacb63f9935331cf4e 8783ac3cc0168ebaef9c448fbe7e937f 966953034b7d7501906d8b4cd3f90f6b a14a6fb62d7efc114b99138a80b6dc7d a6b2ac3ee683be6fbbbab0fa12d88f73 cc68fcc0a4fab798763632f9515b3f92 ----- **Cores:** 3f52ea949f2bd98f1e6ee4ea1320e80d c7c647a14cb1b8bc141b089775130834 ### C&C IPs 182.253.220.29 186.226.56.103 To check your network for Duqu’s 2.0 presence, you can also use the open IOC file available [here.](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205210/7c6ce6b6-fee1-4b7b-b5b5-adaff0d8022f.ioc) [APT](https://securelist.com/tag/apt/) [Cyber espionage](https://securelist.com/tag/cyber-espionage/) [Duqu](https://securelist.com/tag/duqu/) [Malware](https://securelist.com/tag/malware/) [Nation State Sponsored Espionage](https://securelist.com/tag/nation-state-sponsored-espionage/) [Targeted attacks](https://securelist.com/tag/targeted-attacks/) Authors GReAT The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns Your email address will not be published. Required fields are marked * GReAT webinars 13 May 2021, 1:00pm ### GReAT Ideas. Balalaika Edition From the same authors ----- ### APT annual review: What the world’s threat actors got up to in 2020 Cyberthreats to financial organizations in 2021 ----- ### Advanced Threat predictions for 2021 Ghimob: a Tétrade threat actor moves to infect mobile devices ----- ### APT trends report Q3 2020 Subscribe to our weekly e-mails The hottest research right in your inbox ----- Reports ### APT trends report Q1 2022 This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022. ### Lazarus Trojanized DeFi app for delivering malware We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. ### MoonBounce: the dark side of UEFI firmware At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. ### The BlueNoroff cryptocurrency hunt is still on ----- It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. Subscribe to our weekly e-mails The hottest research right in your inbox ----- -----