Threat Research

DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware

SecureList

Researchers uncovered the DuneQuixote campaign delivering memory-only CR4T implants to Middle Eastern government targets via multiple droppers, including tampered Total Commander installers. The droppers use layered obfuscation, dynamic API resolution, filename-based C2 decryption, and strong anti-analysis checks, while CR4T provides a named-pipe console, file transfer, and scheduled-task/COM persistence (Golang variant uses Telegram API). #DuneQuixote #CR4T #TotalCommander

Keypoints

  • Campaign uses >30 dropper samples in two forms: standalone x64 droppers and modified Total Commander installers with an added malicious section.
  • Droppers perform decoy API calls and per-sample string variations (Spanish poem snippets) to evade signature detection, and decrypt strings with multiple XOR-like routines.
  • Dynamic API resolution implemented by locating the PEB, export tables (kernel32.dll), and GetProcAddress offsets; the PEB offset constant (0x60) is encrypted rather than hardcoded.
  • C2 addresses are decrypted using an MD5 key derived from the dropper filename concatenated with a hardcoded poem string; the C2 only serves payloads when a specific hardcoded user-agent is used.
  • Total Commander installer droppers include extensive anti-analysis checks (debugger, monitoring tools, RAM/disk thresholds, cursor movement) that can intentionally corrupt the C2 URL to prevent connections.
  • CR4T implants (C/C++ and Golang) run in memory, spawn hidden cmd.exe instances, use named pipes for I/O, Base64-encode command traffic, support upload/download/file write, and use scheduled tasks/COM hijacking for persistence.
  • Infrastructure includes domains commonline[.]space and userfeedsync[.]com with IPs 135.148.113[.]161 and 104.36.229[.]249; victims observed primarily in the Middle East.

MITRE Techniques

  • [T1204] User Execution – Droppers and a tampered Total Commander installer rely on the user running an executable (“the Total Commander installer dropper is created to mimic a legitimate Total Commander software installer”).
  • [T1036] Masquerading – The threat actor modifies a legitimate installer by adding a malicious section and changing the entry point to appear authentic (“it is, in fact, the legitimate installer file, but with an added malicious file section and a modified entry point”).
  • [T1027] Obfuscated Files or Information – Strings and constants are encrypted and multiple decryption routines are used to hinder analysis (“the malware decrypts the names of essential Windows core DLLs using a straightforward XOR decryption algorithm” and uses poem snippets to change signatures).
  • [T1105] Ingress Tool Transfer – The dropper downloads a payload from a C2 server into the process’s memory for execution (“Once the payload is downloaded into the process’s memory, the dropper performs a verification check for the ‘M’ magic byte”).
  • [T1055] Process Injection – Payloads are executed in memory (memory-only implants) and interact with spawned processes (hidden cmd.exe) via named pipes (“The implant initiates a cmd.exe process in a hidden window and establishes two named pipes”).
  • [T1071.001] Application Layer Protocol: Web Protocols – Implant and dropper communicate with C2 over HTTP/S and require a specific user-agent string for payload access (“the malware attempts to establish a connection with the C2 server using a specifically hardcoded ID as the user agent”).
  • [T1497.001] Virtualization/Sandbox Evasion: System Checks – Installer droppers check for debuggers, monitoring tools, cursor movement, available RAM and disk capacity to avoid analysis (“If any of the anti-analysis checks fail… the altered URL prevents the establishment of a connection to the C2 server”).
  • [T1053.005] Scheduled Task/Job: Scheduled Task – The Golang CR4T creates scheduled tasks (and the actor queries tasks named ‘User_Feed_Sync*’) for persistence (“attempting to retrieve the names of all scheduled tasks on the infected machine beginning with ‘User_Feed_Sync’”).
  • [T1546.008] Component Object Model Hijacking – The Golang variant can achieve persistence by hijacking COM objects (“The malware is also capable of achieving persistence by utilizing the COM objects hijacking technique”).
  • [T1102] Web Service – The Golang CR4T variant uses the Telegram API (a public web service) for C2 communications (“it uses the Telegram API for C2 communications, implementing the public Golang Telegram API bindings”).

Indicators of Compromise

  • [File hashes] DuneQuixote dropper samples – 3aaf7f7f0a42a1cf0a0f6c61511978d7, 5759acc816274d38407038c091e56a5c, and many others (30+ hashes listed).
  • [Domains] C2/infrastructure domains – commonline[.]space (and subdomains g1sea23g.commonline[.]space, telemetry.commonline[.]space), userfeedsync[.]com (and telemetry.userfeedsync[.]com).
  • [IP addresses] Hosting providers – 135.148.113[.]161, 104.36.229[.]249 (associated with the campaign infrastructure).
  • [PDB paths / Strings] Embedded developer paths – “C:UsersuserDesktopcodeCR4Tx64ReleaseCR4T.pdb”, “C:/Users/user/Desktop/code/Cr4tInst/main.go” (used to name CR4T variants).
  • [User-agent / HTTP header] C2 access requirement – hardcoded user-agent values such as “TroubleShooter” and a specific hardcoded ID required to download payloads.

The technical flow begins with two dropper forms: a handcrafted x64 executable (and DLL variants) and a tampered Total Commander installer containing an added .textbss section and modified entry point that invalidates its signature. Droppers make useless decoy API calls and embed per-sample Spanish-poem snippets to alter signatures, then decrypt core strings via multiple XOR-like routines. They dynamically resolve Windows API offsets by locating the PEB and export tables (kernel32.dll/GetProcAddress), decrypt a C2 URL using an MD5 key derived from the execution filename plus a hardcoded poem string, and require a specific hardcoded user-agent to retrieve a payload; downloaded payloads are verified in-memory by checking for an ‘M’ (MZ) magic byte.

The Total Commander installer variant omits the decoys but adds robust anti-analysis checks (debugger detection, presence of known monitoring tools such as python.exe/taskmgr.exe/procmon.exe, >2 explorer.exe instances, cursor inactivity, <8 GB RAM, <40 GB disk) that, if triggered, return a value that corrupts the C2 URL (removes the leading ‘h’ from ‘https’) to prevent C2 communication. Once a payload is obtained, CR4T implants run in memory: the C/C++ variant spawns a hidden cmd.exe, creates two named pipes for inter-process communication, sets the “TroubleShooter” user-agent, and exchanges Base64-encoded commands and outputs with the C2; single-byte command codes map to actions like console access, download (D), upload (U), write (T), sleep (S), and exit (R).

The Golang CR4T mirrors these capabilities, adds scheduled-task creation via the go-ole COM bindings and can persist through COM hijacking; it also supports Telegram-based C2 using public Golang Telegram API bindings. Infrastructure observed includes domains commonline[.]space and userfeedsync[.]com and IPs 135.148.113[.]161 / 104.36.229[.]249, with victims concentrated in the Middle East and many dropper samples submitted to public scanning services.

Read more: https://securelist.com/dunequixote/112425/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint