Qihoo Netlab 360's researchers have spotted a new backdoor based on US CIA’s Project Hive malware control system leaked by WikiLeaks in 2017 as part of its Vault 8 CIA leak series.

The researchers came across the new malware in October 2022, when one of their honeypots caught a suspicious ELF file spread via an unidentified vulnerability in F5 products. The malicious code was contacting the IP address 45.9.150.144 using SSL with forged Kaspersky certificates.

“After further lookup, we confirmed that this sample was adapted from the leaked Hive project server source code from CIA. This is the first time we caught a variant of the CIA HIVE attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33,” Netlab said in a report.

The xdr33 backdoor is designed to collect valuable data and provide a foothold for subsequent intrusions. It uses XTEA or AES algorithm to encrypt the original traffic, and protects traffic using SSL with Client-Certificate Authentication mode enabled.

“In terms of function, there are two main tasks: beacon and trigger, of which beacon is periodically report sensitive information about the device to the hard-coded Beacon C2 and execute the commands issued by it, while the trigger is to monitor the NIC traffic to identify specific messages that conceal the Trigger C2, and when such messages are received, it establishes communication with the Trigger C2 and waits for the execution of the commands issued by it,” the researchers explained.

“These modifications to xdr33 are not very sophisticated in terms of implementation, and coupled with the fact that the vulnerability used in this spread is N-day, we tend to rule out the possibility that the CIA continued to improve on the leaked source code and consider it to be the result of a cyber attack group borrowing the leaked source code.”