DarkUniverse – A Weaponized APT Framework Found via Interesting Script that Used in NSA Hacking Attack

Researchers found the existence of the new APT Framework named “DarkUniverse” using Tips from a script that used in the NSA breach in 2017 in which, shadow brokers published their well-known ‘Lost in Translation’ Hacking tools leak.

“Lost in Translation” cyber-espionage campaign leaked some of the deadliest exploits such as DarkPulsar, Eternal Blue that cause billions of dollar loss by giving its power to WannaCry and NotPetya ransomware.

The script discovered by the researchers who described as the 27th function of this script that actually checks the traces to other APT activities in the hacked systems.

Researchers believe that the “DarkUniverse” APT Framework was active at least 8 years from 2009 until 2017, and the traces indicate that it also tied with ItaDuke, an actor that used PDF exploits for dropping previously unknown malware.

The malicious framework targetted various countries including Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates. The victims included both civilian and military organizations.

DarkUniverse APT Framework Infection process

Further analysis reveals that the campaign is mostly using the spear-phishing emails to deliver the malware through the weaponized Microsoft Office document attachment.

There are different versions of the sample has been used for this campaign between 2009 to 2017, and the latest version of the malware used until 2017.

APT campaigns’ command and control server deployed in the cloud storage at mydrive.ch. “For every victim, the operators created a new account there and uploaded additional malware modules and a configuration file with commands to execute it.”

It performs the following actions once it connected to the C2 server:

• downloaded the command file to the working directory;
• uploaded files collected and prepared by additional malicious modules
• downloaded additional malware modules

According to Kaspersky research, The glue30.dll malware module provides keylogging functionality. The updater.mod module uses the Win API function SetWindowsHookExW to install hooks for the keyboard and to inject glue30.dll into processes that get keyboard input. After that, glue30.dll loads and begins intercepting input in the context of each hooked process.

DarkUniverse campaign collecting various sensitive information including Email conversations, Files from specific directories, Screenshots, information from the Windows registry, Sends a file to the C2, Credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and more.

“DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years. The malware contains all the necessary modules for collecting all kinds of information about the user and the infected system and appears to be fully developed from scratch.” Kaspersky said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates