One component, however, is an interesting exception. Most of these components don't embed their own C&C information but rather communicate with their controllers through the original backdoor process. Some of these components have been observed being downloaded and executed by the original backdoor process but for other components, we have yet to identify the infection vector.
We have, for instance, observed components dedicated to stealing login credentials from the victim machine and components dedicated to gathering further information on the compromised system like the presence of antivirus software or a firewall. Through our research, we have also been able to identify multiple other components of the OnionDuke malware family. It should be noted, that we believe all five domains contacted by the malware are innocent websites compromised by the malware operators, not dedicated malicious servers.Ī screenshot of the embedded configuration data
From these C&Cs the malware may receive instructions to download and execute additional malicious components. Once executed, the DLL file (SHA1: b491c14d8cfb48636f6095b7b16555e9a575d57f, detected as Backdoor:W32/OnionDuke.B) will decrypt an embedded configuration (shown below) and attempt to connect to hardcoded C&C URLs specified in the configuration data. The dropper will proceed to decrypt this DLL, write it to disk and execute it. In reality, the resource is actually an encrypted dynamically linked library (DLL) file. This executable is a dropper containing a PE resource that pretends to be an embedded GIF image file. In all the cases we have observed, this malicious executable has been the same binary (SHA1: a75995f94854dea8799650a2f4a97980b71199d2, detected as Trojan-Dropper:W32/OnionDuke.A). However, the wrapper will also write to disk and execute the second executable. Upon execution, the wrapper will proceed to write to disk and execute the original executable, thereby tricking the user into believing that everything went fine. By using a separate wrapper, the malicious actors are able to bypass any integrity checks the original binary might contain. When a user attempts to download an executable via the malicious Tor exit node, what they actually receive is an executable "wrapper" that embeds both the original executable and a second, malicious executable. It is instead a separate, distinct family of malware that we have since taken to calling OnionDuke. The malware used in this case is, however, not a version of MiniDuke. Suffice to say, the hole was a lot deeper than we expected! In fact, it went all the way back to the notorious Russian APT family MiniDuke, known to have been used in targeted attacks against NATO and European government agencies. Naturally this piqued our interest, so we decided to peer down the rabbit hole.
Recently, research was published identifying a Tor exit node, located in Russia, that was consistently and maliciously modifying any uncompressed Windows executables downloaded through it. OnionDuke: APT Attacks Via the Tor Network