Skip to content

Dune Quixote campaign targets countries with CR4T backdoor

  • by
  • 2 min read

A sophisticated malware campaign, dubbed Dune Quixote, using the CR4T malware, has been targeting government entities across the Middle East, South Korea, Luxembourg, Japan, Canada, Netherlands and the US since February 2023.

The campaign employs over 30 distinct dropper samples, categorised into two versions: regular droppers and tampered installer files posing as the legitimate tool ‘Total Commander.’

These droppers are designed to deliver a malicious payload known as ‘CR4T,’ a backdoor that facilitates unauthorised access and control over infected systems.

“The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion methods both in network communications and in the malware code,” noted researchers.

The initial dropper, disguised as a Windows x64 executable, utilises decoy API calls and Spanish poem snippets to obfuscate its code and evade traditional detection methods. Additionally, the Total Commander installer dropper masquerades as legitimate software, leveraging anti-analysis measures to thwart detection efforts.

“The installer dropper retains the core functionality of the initial dropper but with several key differences. Unlike the original dropper, it omits the use of Spanish poem strings and the execution of decoy functions,” explained researchers.

C4RT utilising the Golang Go-ole library. | Source: Securelist

The CR4T backdoor grants attackers command line execution privileges on compromised machines, enabling file manipulation and interactive control. Notably, variations of CR4T exist in both C/C++ and Golang versions, showcasing the adaptability and sophistication of the threat actors.

The threat actors behind DuneQuixote demonstrate advanced evasion techniques, including dynamic API call resolution, unique C2 server address decryption methods, and anti-analysis checks to detect virtual environments and monitoring tools.

Researchers discovered that the campaign’s command and control infrastructure is primarily hosted in the United States, facilitating communication and data exfiltration.

“The DuneQuixote campaign targets entities in the Middle East with an interesting array of tools designed for stealth and persistence. By deploying memory-only implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, the attackers demonstrate above-average evasion capabilities and techniques,” researchers concluded.

In the News: LastPass users are being targeted via CryptoChameleon phishing kit

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>