DarkUniverse APT Stayed Hidden for 8 Years, Updated Regularly

Posted by & filed under Ειδοποιήσεις.

Security researchers published technical details about malware used by a new threat actor that matches a signature in a scanner likely built by the U.S. National Security Agency and leaked more than two years ago.

The new threat received the name DarkUniverse and was active for at least eight years, between 2009 and 2017. It was identified last year, but the NSA knew about it long before.

The DarkUniverse framework

In 2017, a group called the Shadow Brokers published the Lost in Translation cache of tools believed to be from NSA’s digital armory. Among them was a script – sigs.py – with functions that look for unique malware signatures on a compromised system.

In total, sigs.py includes 44 entries, not all of them are known to the private sector security community. Researchers from Kaspersky found in 2018 the DarkUniverse APT (advanced threat from a nation-state) matching a function in the scanner.

“We assess with medium confidence that DarkUniverse is connected with the ItaDuke set of activity due to unique code overlaps,” they write in a report in October.

ItaDuke has been active since at least 2013, described by FireEye and Kaspersky as leveraging PDF zero-day vulnerabilities.

Looking at the samples from 2017 from this group, researchers note that the last ones “are totally different from the first ones,” which were dated to 2009.

Kaspersky malware analyst Alexander Fedotov told BleepingComputer in an email that the DarkUniverse adversary is likely resourceful enough, since they afforded to keep the framework updated for such a long time.

C2s assigned per victim

DarkUniverse is delivered via emails carrying a malicious Microsoft Office document, tailored for each victim specifically to stir interest and open the file.

Analysis from Kaspersky determined that the malware samples were compiled shortly before delivery and had the newest version of the executable.

Two files (updater.mod and glue30.dll) are extracted on a compromised machine, responsible for establishing communication with the command and control (C2) server, persistence, integrity, and keylogging capabilities.

To keep the malware on the system, the .MOD file places a link file in the startup folder so that the threat executes at reboot, and restores it whenever it becomes corrupted.

Sending commands and malicious modules to victims is done through the myDrive cloud storage service, with accounts being created for each compromised machine. All components of the framework are encrypted using a custom algorithm, seen in the image below.

This way, the actor could upload additional malware modules and a configuration file. The same storage is also used for sending information collected from the victim system.

This indicates that the threat actor can adapt its activity according to what they need to do on the victim computer.

Some of the modules analyzed by Kaspersky can prepare data for exfiltration, run commands from the C2, steal email credentials and messages. Among the clients targeted are Outlook, Eudora, Thunderbird.

The most functional module in the DarkUniverse framework is ‘dfrgntfs5.sqt.’ It can handle a large list of commands from the C2.

Its capabilities include deleting itself, taking screenshots, inject shellcode into Internet Explorer, scanning the local network, login brute-forcing, exfiltrating data, or setting DHCP and DNS settings.

Kaspersky discovered about 20 victims from civilian and military organizations. They are from Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus, and the United Arab Emirates.

Provided the longevity of DarkUniverse, the researchers believe that the number of victims is “much larger.” For the time being, no activity has been recorded from this threat actor.

“The suspension of DarkUniverse operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artifacts for their operations.” – Alexander Fedotov


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.