Incidents

Duqu First Spotted as ‘Stars’ Malware in Iran

As we continue to investigate the Duqu targeted attack, there is new information that suggests the malware was created to spy on Iran’s nuclear program.

Some background and facts:

Back in April this year, Iran announced it was victim to a cyber-attack with a virus called “Stars.” This article offers some additional details on that attack.

We can now confirm that some of the targets of Duqu were hit on April 21, using the same method involving CVE-2011-3402, a kernel level exploit in win32k.sys via embedded True Type Font (TTF) file.

According to analysis by IrCERT (Iran’s Computer Emergency Response Team) Duqu is an upgraded version of “Stars”:

If we are to believe these reports, then it means that Duqu was created in order to spy on Iran’s nuclear program.

Just yesterday (November 4), the United Nations announced it was in possession of plans from Iran to make computer models of a nuclear warheads.

“The annex will also say that more than 10 nations have supplied intelligence suggesting Iran is secretly developing components of a nuclear arms program – among them an implosion-type.”

It would not be surprising that Stars and Duqu were used to collect such information.

Duqu First Spotted as ‘Stars’ Malware in Iran

Your email address will not be published. Required fields are marked *

 

Reports

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox