The rogue Russian Tor exit node, which was claimed to be patching binary files, is actually distributing cyber-espionage tool dubbed OnionDuke – security researcher Artturi Lehtiö of F-Secure has revealed.

Just last month Josh Pitts of Leviathan security discovered that one exit node on the anonymity network was actively patching binary files. Having decided to dig into and extend the research performed by Pitts, Artturi carried out more research and concluded that the exit node was actually linked to the notorious Russian APT family MiniDuke.

Security experts at F-Secure dug deeper and analysed the new malware distribution technique and shed light on how the malware’s payload was executed, the communication patters of the malware with its command and control (C&C) server and the embedded functionality.

According to Artturi, when a user attempts to download a file via the rogue Tor exit node “they actually receive is an executable “wrapper” that embeds both the original executable and a second, malicious executable.” Using a separate wrapper, the perpetrators are able to bypass integrity checks, which may be present in the original executable.

Once this downloaded executable is launched, both the original and the patched binary – a malware dropper – are executed. This entire process is hidden from the user because the malware dropper runs behind the original executable.

“Upon execution, the wrapper will proceed to write to disk and execute the original executable, thereby tricking the user into believing that everything went fine. However, the wrapper will also write to disk and execute the second executable”, notes Artturi.

Artturi notes the on analysis it was found that the dropper contained an encrypted DLL masquerading as GIF image and once this dropper dubbed Trojan-Dropper:W32/OnionDuke.A is executed, it decrypts the DLL, stores it on the disk and executes it. After this process, the malicious activities continue with decryption of configuration file and connection to hard-coded C&C servers.

The research found many components of the OnionDuke malware family including ability to steal credentials, firewall and antivirus evasion among others. Artturi notes that its one of the these components that gave away the connection between OnionDuke and MiniDuke.

The connection was a C&C domain used by the espionage tool registered in 2011 under the alias John Kasai used for registering others two weeks later.

“This strongly suggests that although OnionDuke and MiniDuke are two separate families of malware, the actors behind them are connected through the use of shared infrastructure,” notes Artturi.