It’s late and I may be missing something obvious — How does this malware reside solely in memory with nothing written to the disk? How does it get into the memory on power-up if not from the disk?
The malware is in the form of a 64-bit kernel-level driver, which because it will be loaded into such a secure part of the operating system (the kernel), must be signed digitally and verified. That's what the stolen key/cert is about -- it "validates" to Windows that the malware-infected driver is okay to load.
So in that sense the malware has a persistent presence, in the loadable driver, on the machines where it loads on boot.
But the driver is loaded into special machines on boot -- gateways, routers, firewalls -- that specifically have the internet on one side and the corporate local network on the other side. This means the driver gets to see, filter, change, redirect, or block any network traffic it wants to. It also -- and this is important -- can dynamically supply the infected driver over the corporate network to any/all other machines inside.
And in that way, those machines do NOT have a persistent, disk-resident copy of the malware.
Or at least, that's the picture I get from this Kaspersky release:
https://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module/If you read that and get a different picture, by all means write back and correct my misapprehension. Thanks!