The Leviathan security group discovered that malicious Tor exist nodes where wrapping executable windows files (.exe files) with malware. The malware was dubbed “OnionDuke” by F-Secure researchers.
The MiniDuke Link
MiniDuke was a highly sophisticated malware that previously infected government agencies and organisations spanning 23 countries. MiniDuke used multiple layers of encryption and clever coding tricks that made the malware difficult to detect and reverse engineer, due to the fact it was written in assembly language most MiniDuke Files where small in size. MiniDuke used certain websites as command & control which is quite similar to the C&C (Command and control) chain that OnionDuke uses.
How OnionDuke Works
A victim would use the malicious Tor exit node and would request to download an executable (.exe) file from a site. The file would then be wrapped with a malware dropper called Trojan-Dropper:W32/OnionDuke.A by the malicious node. The Malware Dropper contains what appears at first look to be an embedded GIF image whereas it’s actually a DLL file called Backdoor:W32/OnionDuke.A. The DLL file is written onto the disk and executed. The DLL file then decrypts an embedded configuration file shown here:
The domains where used as command and control sites that the malware would use to receive instructions or download and install additional malicious content. Upon analysis of the websites F-Secure researchers found them to be innocent websites compromised with malware. The domain overpict.com was hardcoded into the C&C domain which could suggest that the malware abused twitter and used it as an addition C&C channel.
The John Kassai link
Overpict.com was originally registered in 2011 under the alias “John Kassai”. Within two-weeks “John Kassai” registered the following domains:
airtravelabroad.com, beijingnewsblog.net, grouptumbler.com, leveldelta.com, nasdaqblog.net, natureinhome.com, nestedmail.com, nostressjob.com, nytunion.com, oilnewsblog.com, sixsquare.net and ustradecomp.com.
What’s interesting is that the domains leveldata.com and grouptumbler.com where previously used as C&C domains by MiniDuke. This points towards the actors behind MiniDuke and OnionDuke are connected due to the shared use of infrastructure despite the malware being different families.
OnionDuke also infected executables in .torrent containing pirated software. F-Secure also found strong evidence indicating that the OnionDuke was targeting European government agencies, this suggests two different targeting strategies. The first being the traditional APT surgical targeting the second being the “Shooting a fly with a cannon” approach which basically a mass-infection through modified binaries.
Whilst case is still shrouded in mystery and speculation you can mitigate this risk by using a VPN that would encrypt your traffic with articles on this found here. In addition to this, don’t download .exe files over Tor.