“CR4T” Backdoor Targets Governments with Evasive Tactics

A previously undocumented campaign has been discovered targeting government entities in the Middle East with a new backdoor known as CR4T. The campaign may have been active for at least a year prior. Codenamed DuneQuixote, the campaign employs sophisticated evasion methods to avoid detection and analysis.

The attack begins with a dropper, available in two variants—a regular executable or a DLL file, and a tampered installer file for the legitimate tool Total Commander. The dropper’s main function is to extract an embedded command-and-control (C2) address, which is decrypted using a unique technique to prevent exposure to automated malware analysis tools.

To decode the C2 server address, the dropper combines the filename with a snippet from a Spanish poem found in the dropper code and calculates the MD5 hash of the combined string. This hash acts as the key to decode the C2 server address. The dropper then establishes connections with the C2 server and downloads a next-stage payload after providing a hard-coded ID as the User-Agent string in the HTTP request.

The payload remains inaccessible for download unless the correct user agent is provided, indicating a high level of control over the malware’s distribution. Additionally, the trojanized Total Commander installer implements anti-analysis checks to prevent a connection to the C2 server under specific conditions, such as the presence of a debugger or monitoring tool, unchanged cursor position after a certain time, insufficient RAM, or disk capacity.

CR4T is a C/C++-based memory-only implant that allows attackers to access a command line console on the infected machine, perform file operations, and upload and download files after contacting the C2 server. The researcher also identified a Golang version of CR4T with similar features, including the ability to execute arbitrary commands and create scheduled tasks using the Go-ole library.

The Golang variant of CR4T achieves persistence by hijacking COM objects and uses the Telegram API for C2 communications. This indicates that the threat actors behind DuneQuixote are actively refining their techniques with cross-platform malware, targeting entities in the Middle East with stealthy and persistent tools.

The “DuneQuixote” campaign demonstrates the attackers’ above-average evasion capabilities and techniques, highlighting the need for enhanced cybersecurity measures to protect against such sophisticated threats.

To protect against CR4T and similar threats, organizations should regularly update their software, use reputable antivirus and anti-malware solutions, and conduct regular security audits to identify and mitigate vulnerabilities. Additionally, employee training on recognizing phishing attempts and suspicious activities can help prevent unauthorized access to systems.