In February 2024, Kaspersky uncovered a clandestine cyber campaign named DuneQuixote, targeting governmental bodies in the Middle East. The operation employs a new backdoor, CR4T, designed for stealthy infiltration and persistent access. Utilizing sophisticated evasion techniques, such as disguised droppers and trojanized software installers like Total Commander, attackers ensure their activities remain undetected.
CR4T, developed in both C/C++ and Golang variants, grants attackers remote access and execution capabilities on compromised machines. The malware’s memory-only implant nature and strategic use of encryption hinder detection and analysis efforts. Moreover, the Golang variant exhibits advanced features, including the ability to create scheduled tasks and leverage the Telegram API for communication, showcasing the attackers’ evolving sophistication.
The campaign’s modus operandi involves the initial deployment of droppers, which extract and decode embedded command-and-control (C2) addresses using novel techniques to evade detection. Once connected to the C2 server, the dropper downloads the CR4T payload, ensuring persistence on infected systems. Additionally, trojanized software installers serve as vectors, leveraging anti-analysis checks to thwart detection by security tools and systems.
