Skip to content

S0038 Duqu

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. 1

Item Value
ID S0038
Associated Names
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation Duqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges.2
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account The discovery modules used with Duqu can collect information on accounts and permissions.1
enterprise T1071 Application Layer Protocol Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.1
enterprise T1010 Application Window Discovery The discovery modules used with Duqu can collect information on open windows.1
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Duqu creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.1
enterprise T1001 Data Obfuscation -
enterprise T1001.002 Steganography When the Duqu command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography The Duqu command and control protocol’s data stream can be encrypted with AES-CBC.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Duqu can track key presses with a keylogger module.1
enterprise T1057 Process Discovery The discovery modules used with Duqu can collect information on process details.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).1
enterprise T1055.012 Process Hollowing Duqu is capable of loading executable code via process hollowing.1
enterprise T1572 Protocol Tunneling Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.1
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Duqu can be configured to have commands relayed over a peer-to-peer network of infected hosts if some of the hosts do not have Internet access.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec Duqu has used msiexec to execute malicious Windows Installer packages. Additionally, a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages.2
enterprise T1016 System Network Configuration Discovery The reconnaissance modules used with Duqu can collect information on network configuration.1
enterprise T1049 System Network Connections Discovery The discovery modules used with Duqu can collect information on network connections.1
enterprise T1078 Valid Accounts Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.1

References

Back to top