Stardust

Stardust is a potent malware that has been identified in cyber attacks on specific targets, notably the Katerji Group and Arfada Petroleum, both located in Syria. The malware is part of a family of malicious payloads that include Meteor and Comet, but with distinct characteristics. Stardust does not override the boot unlike its counterparts, and instead of utilizing batch files for early infection stages like other recent attacks, it relies on multiple VBS scripts. The malware also includes an "INDRA" string within its wiper function, indicating a unique identifier or command. The operation of Stardust involves sophisticated techniques to compromise and control infected systems. It uses the configuration fields log_server_ip and log_server_port to send a Base64-encoded log file to a remote server, providing the attacker with detailed information about the compromised system. Notably, Stardust and Comet utilize a tool named "Lock My PC 4," which was once publicly available. After running this program, they remove the "hkSm" registry value to delete the generated lock password and then eliminate the uninstaller of the tool, making system recovery more challenging. Despite the similarities between Stardust, Meteor, and Comet, there are notable differences beyond their names. There is no evidence suggesting that these tools have been used by other threat actors, implying a single source or group behind these attacks. Furthermore, unlike Stardust and Meteor, Comet references and utilizes all strings and features inside it, suggesting a different operational approach. Microsoft, a backer of OpenAI, has increased its support in response to such threats, investing billions into AI research to enhance cybersecurity measures.