The Duqu malware, believed by some to be a product of the Stuxnet creators, used a Microsoft Windows flaw to exploit targets' systems.
Duqu was uncovered by Hungarian security company CrySys Labs last month and, as it used much of the same code as Stuxnet, was thought to have been forged by the same hands.
Security researchers were previously at a loss as to how the Duqu malware was able to find its way onto people's computers, but now the missing link has been found.
"The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution," Symantec explained in a blog post.
"When the file is opened, malicious code executes and installs the main Duqu binaries."
Thanks to the shell code, Duqu was only be installed during an eight-day period in August, the security giant reported, noting that attackers could command Duqu to spread to other machines within an organisation.
In some cases Duqu was seen using a peer-to-peer network in order to talk with other infected machines before communicating with the attackers' command and control centre.
"Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies," Symantec said.
Microsoft is currently working on a patch for the vulnerability, believed by some to be in win32k.sys, but a fix is not expected in November's Patch Tuesday.
According to Kaspersky, the new evidence adds further weight to suggestions that the Stuxnet creators really were behind Duqu.
"The detection of the dropper and the route used to penetrate the system (a targeted attack against a specific victim conducted via email) proves our theory that the Duqu attacks are directed against a very small number of victims and in each case, they can employ unique sets of files," Kaspersky said in its own blog post.
"To infect other computers in the network, Duqu seems to be using scheduled jobs, a technique that we've also seen in Stuxnet and is a preferred choice of APTs. These, together with other previously known details, reinforce the theory that Stuxnet and Duqu were created by the same people."
The Russian security firm said it had detected three victims in Sudan and four in Iran. Symantec said six "possible organisations" in eight countries, including the UK, have confirmed infections.
-
2022 Public Sector Identity Index ReportWhitepaper UK Report
-
UK, US condemn Iran for ‘unprecedented’ cyber attack against AlbaniaNews The Balkan nation has cut ties with Iran following the hack, which took down national infrastructure and exposed government information
-
Majority of UK's top business leaders are failing to manage supply chain security risksNews New findings from a DCMS review have sparked concern in government which could see new laws introduced to protect Britain's digital supply chains
-
Department of Health and Human Services must improve cyber security info sharingNews GAO report finds HHS has made progress, but better coordination would increase health care security
-
NHS gets £21m to boost cyber defences after WannaCry ransomwareNews Government funding comes hand-in-hand with stricter data security measures
-
Queen's Speech: IT industry reacts to tech pledgesNews Firms address the Tories' data protection and digital charter aims
-
Foreign state DDoS attack 'may have crashed Brexit voting site'News Committee warns against cyber interference in aftermath of EU referendum vote
-
The government needs to abandon its war on WhatsAppOpinion Encryption might seem like an easy target, but mess with it at your peril
