A sophisticated espionage APT that was active for at least eight years before receding into the shadows has been uncovered — and researchers said that it may still be active.
In April 2017, ShadowBrokers published one of their many leaks of cyberweapons used by the National Security Agency (NSA) and other tools. This cache contained a script that hunted for the fingerprints of other APTs within a compromised network. Among the APT signatures used for this was one matching a group dubbed “DarkUniverse” by researchers at Kaspersky.
According to analysis from the company, despite remaining secret, DarkUniverse was active from 2009 until 2017 — and was likely related to the ItaDuke set of campaigns, seen targeting Tibetan and Uyghur dissidents among others since 2013. The two share unique code overlaps, researchers said, that point in that direction.
In analyzing the 2017 DarkUniverse activity, Kaspersky recorded around 20 victims in its telemetry, including both civilian and military organizations in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates.
“DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years,” Kaspersky analysts said in a Tuesday posting . “The malware contains all the necessary modules for collecting all kinds of information about the user and the infected system and appears to be fully developed from scratch.”
Technical Sophistication
DarkUniverse used spearphishing to spread its malware in a highly-targeted campaign. Each victim received a carefully crafted letter tailored to their unique circumstances, with a prompt to open an attached malicious Microsoft Office document.
The executable file embedded in the documents extracts two malicious files from itself, updater.mod and glue30.dll. The updater.mod module is implemented as a dynamic-link library and acts as an orchestrator, researchers said: Providing communication with command-and-control (C2) servers (mostly based on cloud storage at mydrive.ch); providing the malware integrity and a persistence mechanism (by placing a link file into the startup folder, ensuring malware execution after a reboot); and managing other malware modules.
Each campaign analyzed in the 2017 group of attacks was customized to the target.
“For every victim, the operators created a new account and uploaded additional malware modules and a configuration file with commands to execute it,” according to the Kaspersky analysis. “Once executed, the updater.mod module connected to the C2 and…downloaded additional malware modules.”
The chief baddie of the framework is the dfrgntfs5.sqt module, which has deep functionality as a full-service spy tool.
dfrgntfs5.sqt injects a shellcode into Internet Explorer that establishes a direct connection with the C2, downloads additional code and then executes it. It can take screenshots, collect full system info and a wide range of reconnaissance data about the local network, brute-force specific IP ranges with username and password combos, obtain file lists and exfiltrate specific files to the C2.
It also collects and decrypts credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and Windows Live Mail, Windows Live Messenger, and also Internet Cache; checks to see if any proxy credentials are valid; and can provide basic MITM functionality.
Aside from dfrgntfs5.sqt, glue30.dll is another interesting module, which provides keylogging functionality.
“The updater.mod module uses the Win API function SetWindowsHookExW to install hooks for the keyboard and to inject glue30.dll into processes that get keyboard input,” researchers wrote. “After that, glue30.dll loads and begins intercepting input in the context of each hooked process.”
The msvcrt58.sqt module meanwhile vacuums up email conversations and victims’ credentials from Microsoft Outlook, WinMail, Eudora and others. It simply intercepts and parses unencrypted POP3 traffic, and sends the result to the main module (updater.mod) for uploading to the C2.
According to Kaspersky, this analyzed 2017 version of the DarkUniverse framework represents a significant evolution over initial samples from 2009.
“The attackers were resourceful and kept updating their malware during the full lifecycle of their operations,” researchers wrote. “Each malware sample was compiled immediately before being sent and included the latest available version of the malware executable. Since the framework evolved from 2009 to 2017, the last releases are totally different from the first ones.”
Kaspersky also said that there was an abrupt end to the DarkUniverse operations in 2017 — but that the group may have simply retooled after being exposed by the ShadowBrokers leak.
“The suspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations,” Alexander Fedotov, Kaspersky malware analyst, said via email.
APTs are known for attempting to stay under the radar by evolving their tactics and tools after an analysis goes public. Increasingly, this involves false flags and the employment of commercial malware freely available on the Dark Web, in an effort to reduce researchers’ ability to “fingerprint” them.
For instance, last year saw the re-emergence of APT29 after two years of being dormant. The group, best-known for hacking the Democratic National Committee ahead of the 2016 presidential election, was spotted using Cobalt Strike, a commercially available exploitation framework; and Beacon, a backdoor module that executes PowerShell scripts, logs keystrokes, takes screenshots, downloads files and spawns other payloads. Beacon also has the ability to create a C2 profile to look like another actor or legitimate service in order to avoid tracking.
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.