Kaspersky Lab reported this morning a next-generation version of Duqu malware infected the information security company’s network.
WSJ reported this particular version may have been used to spy on the P5+1 talks with Iran on nuclear development. Dubbed ‘Duqu 2.0,’ the malware may have gathered audio, video, documents and communications from computers used by talk participants.
Ars Technica reported in depth on Kaspersky’s discovery of the malware and its attributes. What’s really remarkable in this iteration is its residence in memory. It only exists as a copy on a drive at the first point of infection in a network, and can be wiped remotely to destroy evidence of its occupation.
The infosec firm killed the malware in their networked devices by mimicking a power outage. They detached from their network suspect devices believed to contain an infecting copy.
Kaspersky’s Patient Zero was a non-technical employee in Asia. Duqu 2.0 wiped traces of its own insertion from the PC’s drive.
Neither WSJ or Ars Technica noted Kaspersky’s network must have been subject to a program like TREASUREMAP.
…Because the rest of the data remained intact on the PC and its security patches were fully up to date, researchers suspect the employee received a highly targeted spear phishing e-mail that led to a website containing a zero-day exploit. … (bold mine – source: Ars Technica)
How was a single non-technical point of contact in Asia identified as a target for an infected email? Read more