Government entities in the Middle East have been targeted as part of a previously undocumented campaign to deliver a new backdoor dubbed CR4T. Russian cybersecurity company Kaspersky said it discovered the activity in February 2024, with evidence suggesting that it may have been active since at least a year prior. The campaign has been codenamed DuneQuixote. "The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion methods both in network communications and in the malware code," Kaspersky said. The starting point of the attack is a dropper, which comes in two variants — a regular dropper that's either implemented as an executable or a DLL file and a tampered installer file for a legitimate tool named Total Commander. Regardless of the method used, the primary function of the dropper is to extract an embedded command-and-control (C2) address that's decrypted using a novel technique to prevent the server address from being exposed to automated malware analysis tools. Specifically, it entails obtaining the filename of the dropper and stringing it together with one of the many hard-coded snippets from Spanish poems present in the dropper code. The malware then calculates the MD5 hash of the combined string, which acts as the key to decode the C2 server address. The dropper subsequently establishes connections with the C2 server and downloads a next-stage payload after providing a hard-coded…Read More
Hackers Target Middle East Governments with Evasive “CR4T” Backdoor
