TLDR:
Key Points:
- Government entities in the Middle East targeted by CR4T backdoor campaign
- Dropper extracts C2 server address using novel techniques to evade detection
In a recent discovery by Russian cybersecurity company Kaspersky, government entities in the Middle East have been targeted in a sophisticated campaign deploying a new backdoor known as CR4T. The campaign, codenamed DuneQuixote, employs evasion techniques to prevent detection, with a dropper extracting a hidden C2 server address using a novel method involving Spanish poem strings.
The CR4T backdoor, available in both C/C++ and Golang versions, allows attackers to execute commands, upload and download files, and establish persistent communication with the C2 server using unique tactics like COM object hijacking and the Telegram API. This indicates that threat actors behind DuneQuixote are continuously refining their tools and tradecraft to target entities in the Middle East.
The sophistication of the CR4T campaign highlights the need for advanced cybersecurity measures to protect against such stealthy and persistent threats, especially in critical government sectors.