Malicious Tor Exit Node Linked to MiniDuke APT Campaign

Security researchers have warned that a malicious Tor exit node discovered last month is actually part of a much larger APT operation connected with targeted attacks against European government agencies.

The Tor Project flagged the node at the end of October as a ‘bad exit’ after discovering that the Russian owner had compromised binaries in order to introduce malware to machines passing through.

After investigating further, F-Secure has found that the malware used in this case is related via its infrastructure to the notorious MiniDuke family which has been used in targeted attacks against NATO and European government agencies.

F-Secure has christened this new malware family OnionDuke and revealed that the cyber-criminals behind it have been infecting and downloading executables at least since the end of October 2013.

“We also have evidence suggesting that, at least since February of 2014, OnionDuke has not only been spread by modifying downloaded executables but also by infecting executables in .torrent files containing pirated software,” it added in a blog post.

“However, it would seem that the OnionDuke family is much older, both based on older compilation timestamps and also on the fact that some of the embedded configuration data makes reference to an apparent version number of 4 suggesting that at least three earlier versions of the family exist.”

 F-Secure added that there’s strong evidence to suggest OnionDuke itself has been used in targeted attacks against European government agencies, although the infection vector remains a mystery.

“Interestingly, this would suggest two very different targeting strategies,” it said.

“On one hand is the ‘shooting a fly with a cannon’ mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT operations.”

The Finnish security firm also had a word of advice for those using Tor, namely that using it paints “a huge target on your back” from a security perspective.

“It's never a good idea to download binaries via Tor (or anything else) without encryption,” it concluded.

“The problem with Tor is that you have no idea who is maintaining the exit node you are using and what their motives are. VPNs will encrypt your connection all the way through the Tor network, so the maintainers of Tor exit nodes will not see your traffic and can't tamper with it."

What’s Hot on Infosecurity Magazine?