Shadow Brokers archive allowed tracing mysterious DarkUniverse group

In 2017, the cybercriminal group The Shadow Brokers released an archive of malware and hacker tools that cybersecurity experts associate with the U.S. National Security Agency. This archive, among other things, contained a script that allowed tracing certain APT group, called DarkUniverse.

According to experts, the group has been active for at least eight years – from 2009 to 2017. Experts believe that DarkUniverse may be related to ItaDuke malware campaigns, in which zero-day exploits for vulnerabilities in PDF documents were used to download malware, and Twitter accounts were used to store C & C server URLs.

The DarkUniverse group distributed malware using the “targeted phishing” method. For each victim was formed a separate letter in order to attract attention and force to open the attached malicious Microsoft Office document.

“Spear phishing was used to spread the malware. A letter was prepared separately for each victim to grab their attention and prompt them to open an attached malicious Microsoft Office document. Each malware sample was compiled immediately before being sent and included the latest available version of the malware executable”, — note Kaspersky Lab researchers.

The malware built into the documents contained two malicious modules (updater.modand glue30.dll). The first was responsible for communicating with the management server, as well as loading additional malicious modules, the second acted as a keylogger. To run the updater.mod library, was used rundll32.exe. The updater.mod module was responsible for ensuring communication with the C & C server, integrity and persistence of malicious programs, as well as managing other malicious modules.

Read also: Russia and China residents will not be able to occupy positions in Gitlab that provide access to customer data

In addition to these functions, updater.mod loaded a number of additional modules, such as dfrgntfs5.sqt (for executing commands from a C&C server), msvcrt58.sqt (for stealing mail credentials and email content), zl4vq.sqt (the legitimate zlib library, used by dfrgntfs5 module) and %tims_ID%.upe (additional plugin for dfrgntfs5).

The malicious glue30.dll module provided keylogging functionality. The updater.mod module used the SetWindowsHookExW Win API function to intercept keystrokes and inject glue30.dll into processes that receive keyboard input data. The msvcrt58.sqt module intercepted unencrypted POP3 traffic to collect email messages and victim credentials, analyzed it, and sent the result to the main module (updater.mod) for downloading to the C & C server. The dfrgntfs5.sqt module was the most functional component of the DarkUniverse environment. He processed a huge list of commands from a C&C server.