CR4T Malware Used in DuneQuixote Campaign

Government bodies in the Middle East have become the focus of an undisclosed operation aiming to introduce a fresh clandestine entry point known as CR4T.

According to cybersecurity researchers, this activity was unearthed in February 2024, indicating potential activity stretching back at least a year. Dubbed DuneQuixote, the campaign has been executed with tactics aimed at thwarting detection and analysis, both in communication channels and within the malware itself.

CR4T Attack Chain

The attack begins with a dropper, available in two forms: a standard executable or DLL file, and a modified installer for the legitimate tool Total Commander. Regardless of the variant, the dropper's primary task is to extract an encrypted command-and-control (C2) address using an innovative method to obfuscate the server's location, preventing easy detection by automated analysis tools.

This process involves combining the dropper's filename with select snippets from Spanish poems within the code, then generating an MD5 hash to decrypt the C2 server address.

Once connected to the C2 server, the dropper fetches a subsequent payload, provided it presents a predefined User-Agent string in the HTTP request. Access to this payload is restricted, requiring the correct User-Agent or being available for a limited time post-malware sample release.

Meanwhile, the Trojanized Total Commander installer retains the dropper's core function but incorporates alterations. It eliminates the Spanish poem strings and adds further anti-analysis checks, preventing connections to the C2 server under specific conditions, such as the presence of debugging tools, lack of cursor movement after a set period, insufficient RAM or disk space.

CR4T, coded in C/C++, is a memory-only implant facilitating attacker access through a command-line console, conducting file operations, and exchanging data with the C2 server.