Middle East Government Entities Targeted in New Cyber Espionage Campaign
A recent report by Russian cybersecurity company Kaspersky has revealed a previously undocumented cyber espionage campaign targeting government entities in the Middle East. The campaign involves the delivery of a new backdoor named CR4T and has been codenamed “DuneQuixote.”
According to Kaspersky, the campaign was first discovered in February 2024, with evidence suggesting that it may have been active for at least a year prior. The attackers behind the campaign have implemented sophisticated evasion methods to prevent detection and analysis of their activities.
The attack starts with a dropper, which comes in two variants – a regular dropper implemented as an executable or DLL file, and a tampered installer file for a legitimate tool called Total Commander. The dropper’s primary function is to extract an embedded command-and-control (C2) address using a novel technique to prevent exposure to automated malware analysis tools.
Once the C2 address is decrypted, the dropper establishes connections with the server and downloads a next-stage payload. The payload remains inaccessible for download unless the correct user agent is provided, indicating a high level of sophistication in the attack.
The backdoor, CR4T, is a C/C++-based memory-only implant that allows attackers to execute commands, perform file operations, and communicate with the C2 server. Additionally, a Golang version of CR4T with similar features has been identified, showing that the threat actors are actively refining their malware tactics.
Kaspersky warns that the DuneQuixote campaign targets entities in the Middle East with an array of tools designed for stealth and persistence. By deploying memory-only implants and droppers disguised as legitimate software, the attackers demonstrate advanced evasion capabilities and techniques.
The presence of the Golang variant indicates that the threat actors are expanding their operations to include cross-platform malware. The campaign highlights the need for organizations to remain vigilant against evolving cyber threats and to implement robust security measures to protect against sophisticated attacks.
