A recent revelation by Russian cybersecurity firm Kaspersky sheds light on a covert cyber campaign dubbed DuneQuixote, which has been clandestinely targeting government bodies in the Middle East. This campaign involves the deployment of a newly identified backdoor called CR4T.

Kaspersky's investigation, initiated in February 2024, suggests that the operation might have been underway for at least a year prior. The perpetrators have taken sophisticated measures to evade detection, employing intricate methods to shield their implants from scrutiny and analysis.

The attack commences with a dropper, available in two versions: a standard executable or a DLL file, and a manipulated installer for a legitimate software tool called Total Commander. Regardless of the variant, the dropper's main task is to extract a concealed command-and-control (C2) address, utilizing a unique decryption technique to obfuscate the server's location and thwart automated malware analysis tools.

The decryption process involves combining the dropper's filename with snippets of Spanish poetry embedded in its code, followed by calculating an MD5 hash to decode the C2 server address. Upon successful decryption, the dropper establishes connections with the C2 server and fetches a subsequent payload, employing a hardcoded ID as the User-Agent string in HTTP requests.

Kaspersky notes that the payload remains inaccessible unless the correct user agent is provided, indicating a deliberate effort to restrict access. Additionally, the payload may only be downloaded once per victim or for a limited time following the malware's release.

Meanwhile, the trojanized Total Commander installer exhibits some variations while retaining the core functionality of the original dropper. It omits the Spanish poem strings and incorporates additional anti-analysis checks to detect debugging or monitoring tools, monitor cursor activity, check system RAM and disk capacity, among other measures.

CR4T, the central component of the campaign, is a memory-only implant written in C/C++, facilitating command-line execution, file operations, and data transfers between the infected system and the C2 server. Kaspersky also identified a Golang version of CR4T with similar capabilities, including executing arbitrary commands and creating scheduled tasks using the Go-ole library. The Golang variant employs COM objects hijacking for persistence and utilizes the Telegram API for C2 communication, indicating a cross-platform approach by the threat actors.

The presence of the Golang variant underscores the threat actors' ongoing efforts to refine their techniques and develop more resilient malware. Kaspersky emphasizes that the DuneQuixote campaign poses a significant threat to entities in the Middle East, showcasing advanced evasion tactics and persistence mechanisms through the use of memory-only implants and disguised droppers masquerading as legitimate software.