Mysterious DarkUniverse APT remained undetected for 8 years

Kaspersky discovered a previously unknown APT group, tracked as DarkUniverse, by analyzing Shadow Brokers’ “Lost in Translation” data dump.

In 2017, a hacker group known as the Shadow Brokers stolen malware and hacking tools from the arsenal of the NSA-Linked Equation Group, then it published online the data dump called “Lost in Translation.”

The dump also included an intriguing Pyton script named sigs.py that checked for traces of other APT groups in the compromised system.

The analysis of the script revealed the existence of a mysterious APT group tracked by Kaspersky Lab as ‘DarkUniverse’. The DarkUniverse has been active at least from 2009 until 2017.

The researchers assess with medium confidence that DarkUniverse is under the ItaDuke umbrella of activities due to unique code overlaps. APT group has been active at least since 2013, it leverages PDF zero-day exploits to drop malware on the target systems and Twitter accounts to pass C2 URLs.

The DarkUniverse APT carried spear-phishing attacks using weaponized Microsoft Office document, each email was prepared separately for each victim.

The threat actors compiled each malware immediately before sending it and always used the latest available version of the executable. Experts noticed that attackers were resourceful, they noticed that the framework evolved over the time in a significant way.

The executable file embedded in the documents drops two dynamic-link libraries on the target system, the updater.mod and glue30.dll.

The updater.mod module is responsible of providing communication with the C2 server, providing the malware integrity and persistence mechanism and managing other malware modules. The glue30.dll malware module provides keylogging functionality.

“The glue30.dll malware module provides keylogging functionality. The updater.mod module uses the Win API function SetWindowsHookExW to install hooks for the keyboard and to inject glue30.dll into processes that get keyboard input. After that, glue30.dll loads and begins intercepting input in the context of each hooked process.” reads the analysis published by Kaspersky.

“The msvcrt58.sqt module intercepts unencrypted POP3 traffic to collect email conversations and victims’ credentials. This module looks for traffic from the following processes:

• outlook.exe;
• winmail.exe;
• msimn.exe;
• nlnotes.exe;
• eudora.exe;
• thunderbird.exe;
• thunde~1.exe;
• msmsgs.exe;
• msnmsgr.exe.”

Kaspersky identified around 20 victims in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates, but experts believe that the number of victims between 2009 and 2017 was much greater.

Attackers used C2 servers on cloud storage at mydrive.ch, in particular, for every victim, the operators created a new account and uploaded additional malware modules and a configuration file containing commands to execute.

“DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years. The malware contains all the necessary modules for collecting all kinds of information about the user and the infected system and appears to be fully developed from scratch.” concludes Kaspersky.

“The suspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations,”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]