Duqu 2.0 - The Malware that Hit Kaspersky

June 19, 2015
Suggested Reading

What is Duqu 2.0?

Duqu 2.0 is a complex, stealthy, and highly sophisticated piece of malware that used several zero-day vulnerabilities as well as stolen digital certificates as part of its attack. This cyberespionage tool was used to compromise security firm Kaspersky Lab, who identified the attack and were the first to publicly report it.

Experts at Kaspersky Lab pointed out that they were not the only victims targeted by Duqu 2.0. They reported several other attack campaigns against other targets. Furthermore, they claimed that many of the infections observed in 2014 and 2015 were linked to the negotiations engaged by the P5+1 related to the Iranian nuclear negotiations[1].

Duqu 2.0 is an evolution of the older Duqu worm discovered in 2011. Duqu was used in a number of attack campaigns against various industrial targets. Even though their functionality differed, Duqu shared many similarities with Stuxnet, the worm that was used to sabotage the Iranian nuclear development program.

What did the press say?

Kaspersky Lab carefully managed the disclosure of the Duqu 2.0 attack through an official statement on their blog:

followed by an article published by Eugene Kaspersky (Founder and CEO of Kaspersky Lab) in which he claims that the attack "was a case of industrial espionage, plain and simple", and that the attack was "most probably carried out by a government-backed group":

Technical details on Duqu 2.0 can be found in the following paper:

Kim Zetter at Wired wrote an interesting summary of the technical paper:

Another Interesting technical summary was written by Jack Tang from Trend Labs:

Symantec also published a blog entry on Duqu 2.0. The blog post mentions other targets in Europe, North Africa and Asia:

Even though Duqu 2.0 exploits vulnerabilities in the Windows operating system that allow the intruders to bypass Windows' driver signature requirement, the attackers decided to sign the malicious drivers using stolen Certificates. The following article provides an interesting description on the role of stolen certificates in Duqu 2.0:

Duqu 2.0 also implements an interesting persistence mechanism which is described in the article below:

There was a lot of media attention on this matter. However, there are many questions that remain unanswered:


[1] R. Bejtlich, "infosecinstitute," [Online]. Available: http://resources.infosecinstitute.com/duqu-2-0-the-most-sophisticated-malware-ever-seen/

About "Suggested Articles" from ENISA

With the “Suggested Reading” series ENISA aims at giving the interested reader guidance on controversial and inscrutable NIS related discussions that are carried out in Media, by suggesting selected pre-reviewed articles that in our view explain the issue at hand and related circumstances in a reasonable and understandable manner. This view is derived from past experiences and common sense; in no way should “Suggested Reading” be understood as recommended course of action in a specific incident or investigation, or being a final conclusion. Feel free to get in touch with ENISA to discuss or inquire more information to the “Suggested Reading” series (cert-relations@enisa.europa.eu).

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information