OnionDuke

OnionDuke is a family of backdoor Trojans that may install other threats, gather private data about your PC and enable future attacks by third parties. Named for its recent association with the Tor Browser, OnionDuke may be bundled with unrelated executable files and programs, making its installation potentially wide, albeit randomly distributed. All evidence of OnionDuke's capabilities leads malware experts to rank OnionDuke as a high-level threat, and deleting OnionDuke without any help from professional anti-malware software is heavily discouraged.

The New Layer Beneath MiniDuke Campaigns

Previously, the MiniDuke family of backdoor Trojans earned its notoriety for involvement in campaigns attacking government institutions through e-mail attachments. However, its maintainers may have moved on; new evidence has surfaced of a second family of similar Trojans using the same Web infrastructure: OnionDuke. Structurally, OnionDuke is distinct from MiniDuke, but may operate with similar payloads, including attacks such as:

• Installing additional forms of threatening software, including Trojans meant to gather security-related system information (such as whether your system is protected by a firewall) or grab text from account login fields.
• Communicating through a backdoor connection to a C&C server that allows third parties to browse uploaded information and issue instructions. All confirmed C&C servers so far have been hacked websites, rather than domains owned by the third parties, themselves.

OnionDuke bears its informal name for its distribution campaign exploiting Tor, an anonymity-enabling Web browser. Criminals compromising specific exit nodes caused OnionDuke to bundle with unrelated file downloads. To a lesser extent, OnionDuke also may be seen packaged in torrent-distributed archives, which are a prominent source of software piracy. Launching the compromised files installs OnionDuke automatically through a Trojan dropper component via a standardized DLL-loading technique.

There also is some circumstantial evidence that OnionDuke may be continuing in its forebears footsteps by attacking government agencies, specifically for the region of Europe. While evidence of OnionDuke's distribution only goes to 2013, version information included in OnionDuke's body causes malware experts to suspect that this Trojan family is several years older than that.

Peeling the Trojans Away from Your Privacy

Although OnionDuke has capitalized on the same privacy invasion concerns that have made Tor a popular application, there are ways of protecting your privacy and your computer simultaneously. In addition to you seeking alternative services, malware experts can recommend the use of virtual private networks (or VPNs) to encrypt your downloads, as well as scanning downloaded files before you open them. OnionDuke includes multiple components and sophisticated defenses, like most well-designed backdoor families, and removing OnionDuke always should be handled by anti-malware solutions.

OnionDuke is one of the few families to have suspected involvement in both non-targeted attacks and targeted ones. With respect to the latter, malware researchers are still uncovering evidence of its distribution routines. E-mail attachments and local network compromises are two of the most common factors in government, corporate and NGO threat campaigns, and may pertain to OnionDuke, as well.

Technical Details