DarkUniverse – A Weaponized APT Framework Used in NSA Hacking Attack
Darkuniverse apt: The group was exposed after a ShadowBrokers leak.
- A sophisticated espionage APT that was active for at least eight years before receding into the shadows has been uncovered — and researchers said that it may still be active.
- In April 2017, ShadowBrokers published one of their many leaks of cyberweapons used by the National Security Agency (NSA) and other tools. This cache contained a script that hunted for the fingerprints of other APTs within a compromised network. Among the APT signatures used for this was one matching a group dubbed “DarkUniverse” by researchers at Kaspersky.
- Some of the researchers found the existence of the new APT Framework named “DarkUniverse” using Tips from a script that used in the NSA breach in 2017. In these shadow brokers published their well-known ‘Lost in Translation’ Hacking tools leak.
- The campaign cyber-espionage “Lost in Translation”, leaked some of the deadliest exploits such as DarkPulsar, Eternal Blue. These exploits caused billions of dollar loss by giving its power to WannaCry and NotPetya ransomware.
- According to analysis from the company, despite remaining secret, DarkUniverse was active from 2009 until 2017 — and was likely related to the ItaDuke set of campaigns, seen targeting Tibetan and Uyghur dissidents among others since 2013. Researchers said the two share unique code overlaps, that point in that direction.
- The script discovered by the researchers who described as the 27th function of this script that actually checks the traces to other APT activities in the hacked systems.
- Researchers believe that the “DarkUniverse” APT Framework was active at least 8 years from 2009 until 2017, and the traces indicate that it also tied with ItaDuke, an actor that used PDF exploits for dropping previously unknown malware.
- The malicious framework targetted various countries including Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates. The victims included both civilian and military organizations.
DarkUniverse APT Framework Infection process
- Further analysis reveals that the campaign is mostly using the spear-phishing emails to deliver the malware through the weaponized Microsoft Office document attachment.
- There are different versions of the sample has been used for this campaign between 2009 to 2017, and the latest version of the malware used until 2017.
- APT campaigns’ command and control server deployed in the cloud storage at mydrive.ch. The operators created a new account for every victim and uploaded additional malware modules and a configuration file with commands to execute it.
- “DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years,” Kaspersky analysts said in a Tuesday posting. The malware contains most of the necessary modules for collecting all kinds of information about the user and the infected system.
- To spread its malware in a highly-targeted campaign, DarkUniverse used spearphishing. Each one of the victims received a well-crafted letter tailored to their unique circumstances, also with a prompt to open an attached malicious Microsoft Office document.
- The executable file which is embedded in the documents extracts two malicious files from itself, which are updater.mod and glue30.dll.
- The most important module of the framework is the dfrgntfs5.sqt module, which has deep functionality as a full-service spy tool. The module also injects a shellcode into Internet Explorer that establishes a direct connection with the C2, downloads additional code and then executes it.
- It is capable of taking screenshots, collect the full system info and a wide range of reconnaissance data about the local network. It can also obtain many other info such as brute-force specific IP ranges with username and password combos, obtain file lists and exfiltrate specific files to the C2 connection.
- With all this it also collects and decrypts credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and Windows Live Mail, Windows Live Messenger, and also Internet Cache. It also checks to see if any proxy credentials are valid and whether it can provide basic MITM functionality.
- dll is also another yet an interesting module, which provides keylogging functionality.
- “The updater.mod module uses the Win API function SetWindowsHookExW to install hooks for the keyboard and to inject glue30.dll into processes that get keyboard input,” researchers wrote. After that, glue30.dll loads and begins intercepting the input in context of each hooked process.
- On the other hand, msvcrt58.sqt module vacuums up email conversations and victims’ credentials from Microsoft Outlook, WinMail, Eudora and others various platforms. What it actually does is that it intercepts and parses unencrypted POP3 traffic, and then sends the result to the main module (updater.mod) for uploading to the C2 connection.
- According to Kaspersky, this analyzed 2017 version of the DarkUniverse framework represents a significant evolution over initial samples from 2009.
- “The attackers were resourceful and kept updating their malware during the full lifecycle of their operations,” researchers wrote.
Kaspersky also said that there was an abrupt end to the DarkUniverse operations in 2017 — but that the group may have simply retooled after being exposed by the ShadowBrokers leak.
For a long time now, APTs are known for attempting to stay under the radar by evolving their tactics and tools after an analysis goes public. Due to which, this increases the involvement of false flags and the employment of commercial malware freely available on the Dark Web, in an effort to reduce researchers’ ability to “fingerprint” them.
For instance, same way how last year the re-emergence of APT29 after two years of being dormant. The group, which is best-known for hacking the Democratic National Committee ahead of the 2016 presidential election. The group was spotted using Cobalt Strike, a commercially available exploitation framework; and Beacon, a backdoor module that executes PowerShell scripts, logs keystrokes, takes screenshots, downloads files. Beacon also has the ability to create a C2 profile to look like another actor or legitimate service in order to avoid tracking.
According to Kaspersky research, the glue30.dll malware module provides keylogging functionality. The updater.mod module uses the Win API function SetWindowsHookExW to install hooks for the keyboard and to inject glue30.dll into processes that get keyboard input. After that, glue30.dll loads and begins intercepting input in the context of each hooked process.
DarkUniverse campaign collecting various sensitive information including Email conversations, Files from specific directories, Screenshots, information from the Windows registry, Sends a file to the C2, Credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and more.
“DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years. The malware contains all the necessary modules for collecting all kinds of information about the user and the infected system and appears to be fully developed from scratch.” Kaspersky said.
Read our other articles here: