Duqu

Duqu trojan was discovered on September 1, 2011 by CrySyS Lab of the Budapest University of Technology and Economics in Hungary. The code of the malware is very similar to Stuxnet worm and it is believed to be either the product of a sister-project or a derivative of the Stuxnet source code. In particular, the kernel driver of the malware is practically the same as the kernel driver of Stuxnet (commonly named JMINET.SYS and MRXCLS.SYS respectively). The former case implies that the malware was developed and deployed by a state sponsor, likely the United States or Israel. Meanwhile, the latter case expands attribution to practically any well-resourced actor on the internet.

Unlike Stuxnet worm, Duqu trojan was not meant to sabotage the host systems; instead, like most modern malware, its purpose was covert information exfiltration. The Duqu malware was found on similar target systems as Stuxnet, so it is reasonable to conclude that it was likely developed and deployed to collect information pertinent to current events or information necessary to launch future espionage or sabotage campaigns. Duqu primarily targeted the industrial infrastructure of system manufacturers, and the industrial sector in Middle Eastern countries. The adversary exfiltrates confidential documents such as design specifications and network information, likely to aid in future attack campaigns.

scada