Security researchers published technical details about malware used by a new threat actor that matches a signature in a scanner likely built by the U.S. National Security Agency and leaked more than two years ago.
The new threat received the name DarkUniverse and was active for at least eight years, between 2009 and 2017. It was identified last year, but the NSA knew about it long before.
The DarkUniverse framework
In 2017, a group called the Shadow Brokers published the Lost in Translation cache of tools believed to be from NSA’s digital armory. Among them was a script – sigs.py – with functions that look for unique malware signatures on a compromised system.
In total, sigs.py includes 44 entries, not all of them are known to the private sector security community. Researchers from Kaspersky found in 2018 the DarkUniverse APT (advanced threat from a nation-state) matching a function in the scanner.
“We assess with medium confidence that DarkUniverse is connected with the ItaDuke set of activity due to unique code overlaps,” they write in a report in October.
Looking at the samples from 2017 from this group, researchers note that the last ones “are totally different from the first ones,” which were dated to 2009.
Kaspersky malware analyst Alexander Fedotov told BleepingComputer in an email that the DarkUniverse adversary is likely resourceful enough, since they afforded to keep the framework updated for such a long time.
C2s assigned per victim
DarkUniverse is delivered via emails carrying a malicious Microsoft Office document, tailored for each victim specifically to stir interest and open the file.
Analysis from Kaspersky determined that the malware samples were compiled shortly before delivery and had the newest version of the executable.
Two files (updater.mod and glue30.dll) are extracted on a compromised machine, responsible for establishing communication with the command and control (C2) server, persistence, integrity, and keylogging capabilities.
To keep the malware on the system, the .MOD file places a link file in the startup folder so that the threat executes at reboot, and restores it whenever it becomes corrupted.
Sending commands and malicious modules to victims is done through the myDrive cloud storage service, with accounts being created for each compromised machine. All components of the framework are encrypted using a custom algorithm, seen in the image below.
This way, the actor could upload additional malware modules and a configuration file. The same storage is also used for sending information collected from the victim system.
This indicates that the threat actor can adapt its activity according to what they need to do on the victim computer.
Some of the modules analyzed by Kaspersky can prepare data for exfiltration, run commands from the C2, steal email credentials and messages. Among the clients targeted are Outlook, Eudora, Thunderbird.
The most functional module in the DarkUniverse framework is ‘dfrgntfs5.sqt.’ It can handle a large list of commands from the C2.
Its capabilities include deleting itself, taking screenshots, inject shellcode into Internet Explorer, scanning the local network, login brute-forcing, exfiltrating data, or setting DHCP and DNS settings.
Kaspersky discovered about 20 victims from civilian and military organizations. They are from Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus, and the United Arab Emirates.
Provided the longevity of DarkUniverse, the researchers believe that the number of victims is “much larger.” For the time being, no activity has been recorded from this threat actor.
“The suspension of DarkUniverse operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artifacts for their operations.” – Alexander Fedotov