In October 2014, Leviathan Security Group disclosed that a Russia based Tor exit node was attaching malware onto the files that passed through it by wrapping legitimate executables with the malware executable. The technique increased the attacker’s chance of bypassing integrity check mechanisms. The malware campaign is believed to have been active from at least February 2013 through spring 2015. OnionDuke does not operate like the other Duke campaigns; however, it does share some C&C infrastructure with the miniduke attacks. Moreover, unshared domains in both campaigns were registered using the same alias, John Kasai. As such, it stands to reason that OnionDuke is another Russian sponsored APT group.
OnionDuke attacks target government agencies in Central Europe. However, because it is unlikely that European government agencies are accessing Tor from their high value systems, the secondary distribution vector of the malware remains unclear. The malware has also been found targeting pirated software. It is possible that the campaign distributes the malware through scattershot attacks via the Tor network and torrent sites and through another yet unobserved vector, such as phishing or wateringhole attacks. The infection of Tor files appears to fail if the victim users a VPN channel that encrypts traffic. Systems infected with CozyDuke may be infected with OnionDuke if the former malware is used to deliver and execute the latter malware’s dropper. It is possible that the OnionDuke attacks were conducted to infect a broad range of target to gather information for the other Duke campaigns and to build a botnet for the adversary.