[BreachExchange] Mysterious DarkUniverse APT remained undetected for 8 years

Destry Winant destry at riskbasedsecurity.com
Thu Nov 7 09:45:21 EST 2019


https://securityaffairs.co/wordpress/93463/apt/darkuniverse-apt.html

In 2017, a hacker group known as the Shadow Brokers stolen malware and
hacking tools from the arsenal of the NSA-Linked Equation Group, then
it published online the data dump called “Lost in Translation.”

The dump also included an intriguing Pyton script named sigs.py that
checked for traces of other APT groups in the compromised system.

The analysis of the script revealed the existence of a mysterious APT
group tracked by Kaspersky Lab as ‘DarkUniverse’. The DarkUniverse has
been active at least from 2009 until 2017.

The researchers assess with medium confidence that DarkUniverse is
under the ItaDuke umbrella of activities due to unique code overlaps.
APT group has been active at least since 2013, it leverages PDF
zero-day exploits to drop malware on the target systems and Twitter
accounts to pass C2 URLs.

The DarkUniverse APT carried spear-phishing attacks using weaponized
Microsoft Office document, each email was prepared separately for each
victim.

The threat actors compiled each malware immediately before sending it
and always used the latest available version of the executable.
Experts noticed that attackers were resourceful, they noticed that the
framework evolved over the time in a significant way.

The executable file embedded in the documents drops two dynamic-link
libraries on the target system, the updater.mod and glue30.dll.

The updater.mod module is responsible of providing communication with
the C2 server, providing the malware integrity and persistence
mechanism and managing other malware modules. The glue30.dll malware
module provides keylogging functionality.

“The glue30.dll malware module provides keylogging functionality. The
updater.mod module uses the Win API function SetWindowsHookExW to
install hooks for the keyboard and to inject glue30.dll into processes
that get keyboard input. After that, glue30.dll loads and begins
intercepting input in the context of each hooked process.” reads the
analysis published by Kaspersky.

“The msvcrt58.sqt module intercepts unencrypted POP3 traffic to
collect email conversations and victims’ credentials. This module
looks for traffic from the following processes:

outlook.exe;
winmail.exe;
msimn.exe;
nlnotes.exe;
eudora.exe;
thunderbird.exe;
thunde~1.exe;
msmsgs.exe;
msnmsgr.exe.”

Kaspersky identified around 20 victims in Syria, Iran, Afghanistan,
Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab
Emirates, but experts believe that the number of victims between 2009
and 2017 was much greater.

Attackers used C2 servers on cloud storage at mydrive.ch, in
particular, for every victim, the operators created a new account and
uploaded additional malware modules and a configuration file
containing commands to execute.

“DarkUniverse is an interesting example of a full cyber-espionage
framework used for at least eight years. The malware contains all the
necessary modules for collecting all kinds of information about the
user and the infected system and appears to be fully developed from
scratch.” concludes Kaspersky.

“The suspension of its operations may be related to the publishing of
the ‘Lost in Translation’ leak, or the attackers may simply have
decided to switch to more modern approaches and start using more
widely available artefacts for their operations,”


More information about the BreachExchange mailing list