News

Shadow Brokers archive allowed tracing mysterious DarkUniverse group

In 2017, the cybercriminal group The Shadow Brokers released an archive of malware and hacker tools that cybersecurity experts associate with the U.S. National Security Agency. This archive, among other things, contained a script that allowed tracing certain APT group, called DarkUniverse.

According to experts, the group has been active for at least eight years – from 2009 to 2017. Experts believe that DarkUniverse may be related to ItaDuke malware campaigns, in which zero-day exploits for vulnerabilities in PDF documents were used to download malware, and Twitter accounts were used to store C & C server URLs.

The DarkUniverse group distributed malware using the “targeted phishing” method. For each victim was formed a separate letter in order to attract attention and force to open the attached malicious Microsoft Office document.

“Spear phishing was used to spread the malware. A letter was prepared separately for each victim to grab their attention and prompt them to open an attached malicious Microsoft Office document. Each malware sample was compiled immediately before being sent and included the latest available version of the malware executable”, — note Kaspersky Lab researchers.

The malware built into the documents contained two malicious modules (updater.modand glue30.dll). The first was responsible for communicating with the management server, as well as loading additional malicious modules, the second acted as a keylogger. To run the updater.mod library, was used rundll32.exe. The updater.mod module was responsible for ensuring communication with the C & C server, integrity and persistence of malicious programs, as well as managing other malicious modules.

Read also: Russia and China residents will not be able to occupy positions in Gitlab that provide access to customer data

In addition to these functions, updater.mod loaded a number of additional modules, such as dfrgntfs5.sqt (for executing commands from a C&C server), msvcrt58.sqt (for stealing mail credentials and email content), zl4vq.sqt (the legitimate zlib library, used by dfrgntfs5 module) and %tims_ID%.upe (additional plugin for dfrgntfs5).

The malicious glue30.dll module provided keylogging functionality. The updater.mod module used the SetWindowsHookExW Win API function to intercept keystrokes and inject glue30.dll into processes that receive keyboard input data. The msvcrt58.sqt module intercepted unencrypted POP3 traffic to collect email messages and victim credentials, analyzed it, and sent the result to the main module (updater.mod) for downloading to the C & C server. The dfrgntfs5.sqt module was the most functional component of the DarkUniverse environment. He processed a huge list of commands from a C&C server.

Researchers have identified about 20 victims in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates, but they believe that the number of victims can be much larger. Among the victims were both civilian and military organizations.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Recent Posts

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

19 hours ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

19 hours ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

19 hours ago

Remove Themoneyminutes pop-up ads (Virus Removal Guide)

Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…

19 hours ago

Remove News-xcidizi pop-up ads (Virus Removal Guide)

News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…

23 hours ago

Remove Everytraffic-flow pop-up ads (Virus Removal Guide)

Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…

23 hours ago