Duqu First Spotted as ‘Stars’ Malware in Iran

05 Nov 2011

minute read

Authors

Ryan Naraine

As we continue to investigate the Duqu targeted attack, there is new information that suggests the malware was created to spy on Iran’s nuclear program.

Some background and facts:

Back in April this year, Iran announced it was victim to a cyber-attack with a virus called “Stars.” This article offers some additional details on that attack.

We can now confirm that some of the targets of Duqu were hit on April 21, using the same method involving CVE-2011-3402, a kernel level exploit in win32k.sys via embedded True Type Font (TTF) file.

According to analysis by IrCERT (Iran’s Computer Emergency Response Team) Duqu is an upgraded version of “Stars”:

If we are to believe these reports, then it means that Duqu was created in order to spy on Iran’s nuclear program.

Just yesterday (November 4), the United Nations announced it was in possession of plans from Iran to make computer models of a nuclear warheads.

“The annex will also say that more than 10 nations have supplied intelligence suggesting Iran is secretly developing components of a nuclear arms program – among them an implosion-type.”

It would not be surprising that Stars and Duqu were used to collect such information.

Authors

Ryan Naraine

Duqu First Spotted as ‘Stars’ Malware in Iran

Latest Posts

Latest Webinars

Reports

In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021.

Asian APT groups target various organizations from a multitude of regions and industries. We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups.

We unveil a Lazarus campaign exploiting security company products and examine its intricate connections with other campaigns

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Duqu First Spotted as ‘Stars’ Malware in Iran

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

T2’12: Huawei Routers, Pin Pad Terminals Under Security Scrutiny

EuSecWest 2012: That thing in your pocket

Lab Matters – The death of browser trust

Lab Matters – The threat from P2P botnets

Lab Matters – Cloudy with a chance of stolen data

XZ backdoor story – Initial analysis

A hack in hand is worth two in the bush

QBot banker delivered through business correspondence

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange

Latest Posts

Android malware, Android malware and more Android malware

Threat landscape for industrial automation systems. H2 2023

A patched Windows attack surface is still exploitable

What’s in your notepad? Infected text editors target Chinese users

Latest Webinars

The Future of AI in cybersecurity: what to expect in 2024

Responding to a data breach: a step-by-step guide

2024 Advanced persistent threat predictions

Overview of modern car compromise techniques and methods of protection

Reports

HrServ – Previously unknown web shell used in APT attack

Modern Asian APT groups’ tactics, techniques and procedures (TTPs)

A cascade of compromise: unveiling Lazarus’ new campaign

How to catch a wild triangle

Subscribe to our weekly e-mails