Posted: November 14, 2014
Threat Metric
Threat Level: 6/10
Infected PCs 16

OnionDuke Description

OnionDuke is a family of backdoor Trojans that may install other threats, gather private data about your PC and enable future attacks by third parties. Named for its recent association with the Tor Browser, OnionDuke may be bundled with unrelated executable files and programs, making its installation potentially wide, albeit randomly distributed. All evidence of OnionDuke's capabilities leads malware experts to rank OnionDuke as a high-level threat, and deleting OnionDuke without any help from professional anti-malware software is heavily discouraged.

The New Layer Beneath MiniDuke Campaigns

Previously, the MiniDuke family of backdoor Trojans earned its notoriety for involvement in campaigns attacking government institutions through e-mail attachments. However, its maintainers may have moved on; new evidence has surfaced of a second family of similar Trojans using the same Web infrastructure: OnionDuke. Structurally, OnionDuke is distinct from MiniDuke, but may operate with similar payloads, including attacks such as:

  • Installing additional forms of threatening software, including Trojans meant to gather security-related system information (such as whether your system is protected by a firewall) or grab text from account login fields.
  • Communicating through a backdoor connection to a C&C server that allows third parties to browse uploaded information and issue instructions. All confirmed C&C servers so far have been hacked websites, rather than domains owned by the third parties, themselves.

OnionDuke bears its informal name for its distribution campaign exploiting Tor, an anonymity-enabling Web browser. Criminals compromising specific exit nodes caused OnionDuke to bundle with unrelated file downloads. To a lesser extent, OnionDuke also may be seen packaged in torrent-distributed archives, which are a prominent source of software piracy. Launching the compromised files installs OnionDuke automatically through a Trojan dropper component via a standardized DLL-loading technique.

There also is some circumstantial evidence that OnionDuke may be continuing in its forebears footsteps by attacking government agencies, specifically for the region of Europe. While evidence of OnionDuke's distribution only goes to 2013, version information included in OnionDuke's body causes malware experts to suspect that this Trojan family is several years older than that.

Peeling the Trojans Away from Your Privacy

Although OnionDuke has capitalized on the same privacy invasion concerns that have made Tor a popular application, there are ways of protecting your privacy and your computer simultaneously. In addition to you seeking alternative services, malware experts can recommend the use of virtual private networks (or VPNs) to encrypt your downloads, as well as scanning downloaded files before you open them. OnionDuke includes multiple components and sophisticated defenses, like most well-designed backdoor families, and removing OnionDuke always should be handled by anti-malware solutions.

OnionDuke is one of the few families to have suspected involvement in both non-targeted attacks and targeted ones. With respect to the latter, malware researchers are still uncovering evidence of its distribution routines. E-mail attachments and local network compromises are two of the most common factors in government, corporate and NGO threat campaigns, and may pertain to OnionDuke, as well.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to OnionDuke may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe File name: file.exe
Size: 219.13 KB (219136 bytes)
MD5: 5473e29ca75d475f545fa7d9f85e564f
Detection count: 58
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 18, 2014
UserCache.dll File name: UserCache.dll
Size: 126.46 KB (126464 bytes)
MD5: c8eb6040fd02d77660d19057a38ff769
Detection count: 19
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: November 18, 2014

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%LOCALAPPDATA%\Startup\kb[NUMBERS].lnk

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.