Duqu First Spotted as ‘Stars’ Malware in Iran

05 Nov 2011

minute read

Authors

Ryan Naraine

As we continue to investigate the Duqu targeted attack, there is new information that suggests the malware was created to spy on Iran’s nuclear program.

Some background and facts:

Back in April this year, Iran announced it was victim to a cyber-attack with a virus called “Stars.” This article offers some additional details on that attack.

We can now confirm that some of the targets of Duqu were hit on April 21, using the same method involving CVE-2011-3402, a kernel level exploit in win32k.sys via embedded True Type Font (TTF) file.

According to analysis by IrCERT (Iran’s Computer Emergency Response Team) Duqu is an upgraded version of “Stars”:

If we are to believe these reports, then it means that Duqu was created in order to spy on Iran’s nuclear program.

Just yesterday (November 4), the United Nations announced it was in possession of plans from Iran to make computer models of a nuclear warheads.

“The annex will also say that more than 10 nations have supplied intelligence suggesting Iran is secretly developing components of a nuclear arms program – among them an implosion-type.”

It would not be surprising that Stars and Duqu were used to collect such information.

Authors

Ryan Naraine

Duqu First Spotted as ‘Stars’ Malware in Iran

Latest Posts

Latest Webinars

Reports

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

While monitoring the traffic of our own corporate Wi-Fi network, we noticed suspicious activity that originated from several iOS-based phones. We created offline backups of the devices, inspected them and discovered traces of compromise.

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Duqu First Spotted as ‘Stars’ Malware in Iran

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

T2’12: Huawei Routers, Pin Pad Terminals Under Security Scrutiny

EuSecWest 2012: That thing in your pocket

Lab Matters – The death of browser trust

Lab Matters – The threat from P2P botnets

Lab Matters – Cloudy with a chance of stolen data

QBot banker delivered through business correspondence

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange

Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)

Two more malicious Python packages in the PyPI

Latest Posts

Threat landscape for industrial automation systems. Statistics for H1 2023

Free Download Manager backdoored – a possible supply chain attack on Linux machines

From Caribbean shores to your devices: analyzing Cuba ransomware

Evil Telegram doppelganger attacks Chinese users

Latest Webinars

2023 APT Landscape Unveiled: Trends, Challenges, Solutions

Cybersecurity risks in alternative energy sources

Securing ICS Workstations: Vulnerability Identification with OVAL

Unveiling the Darknet’s Malware-as-a-Service model

Reports

Focus on DroxiDat/SystemBC

APT trends report Q2 2023

Operation Triangulation: iOS devices targeted with previously unknown malware

Meet the GoldenJackal APT group. Don’t expect any howls

Subscribe to our weekly e-mails