Hackers Target Middle East Governments with Evasive "CR4T" Backdoor

*Severity-High: This "CR4T" Backdoor is being actively exploited with a malware dropper that's full of defense evasion techniques and aims to grant attackers access to the console for remote code execution*

In February 2024, Kaspersky discovered a new malware campaign targeting government entities in the Middle East actively employing over 30 DuneQuixote dropper samples. The droppers come in the form of either using a regular malware dropper or abusing a legitimate tool named “Total Commander” which both carry malicious code to download additional malware using a backdoor method Kaspersky has named “CR4T”. The threat actor behind this campaign utilized sophisticated defensive evasion methods to avoid being unmasked via network logs and malware code comments. The initial dropper in this observed activity is a Windows x64 executable developed in C/C++ that contains invalid digital signatures. When executed, strangely it calls string comparison functions on Spanish poem snippets that serve no practical purpose for an attack. These snippets do vary per attack instance which alters the sample signature, thereby evading traditional detection methods. Then the dropper decrypts the C2 address by retrieving the filename under which the dropper was executed to concatenate that filename with one of the hardcoded Spanish poem strings, preventing the exposure of the attacker’s C2 server.

Kaspersky was unable to download and inspect the payload from the C2 because it requires the correct hardcoded ID to access. The Total Commander installer dropper is created to mimic a legitimate Total Commander software installer. The installer dropper retains the core functionality of the initial dropper but with several key differences. Unlike the original dropper, it omits the use of Spanish poem strings and the execution of decoy functions. It also implements a series of anti-analysis measures and checks that prevent a connection to C2 resources. The “CR4T” implant is designed with the primary goal of granting attackers access to a console for command line execution on the victim’s machine. Additionally, it facilitates the download, upload, and modification of files. After that, the implant retrieves the computer name of the infected host as well as the username of the current user. Then it establishes a connection to the C2 server. The threat actor was observed attempting to retrieve the names of all scheduled tasks on the infected machine beginning with “User_Feed_Sync“. These scheduled tasks were probably created by the Golang version of CR4T for persistence purposes. This campaign’s infrastructure appears to be in the US. The majority of the semi-public malware scanning uploads also originated from the Middle East. Other sources we suspect to be VPN exit nodes geo-located in South Korea, Luxembourg, Japan, Canada, Netherlands, and the US.

Security Officer Comments:
This campaign deploys a variety of tools designed for stealth and persistence with effective defensive evasion methods. This threat actor’s toolkit shows adaptability and resourcefulness because the CR4T implant has C, C++, and Golang versions. They show the ability to cover their tracks through techniques that allow them to control the accessibility of C2 payloads and data and purposefully alter their file signatures to avoid EDR detection. The malware’s mimicry of the legitimate Total Commander installer further reinforces that this threat actor’s techniques are sophisticated. Although the threat actor demonstrably has a targeted region, there is no evidence of state-sponsored activity.

Suggested Corrections:
Kaspersky’s Global Research and Analysis Team has published the IOCs for this malicious activity: