17 January 2023

New backdoor based on leaked CIA’s Hive spyware spotted in the wild


New backdoor based on leaked CIA’s Hive spyware spotted in the wild

Qihoo Netlab 360's researchers have spotted a new backdoor based on US CIA’s Project Hive malware control system leaked by WikiLeaks in 2017 as part of its Vault 8 CIA leak series.

The researchers came across the new malware in October 2022, when one of their honeypots caught a suspicious ELF file spread via an unidentified vulnerability in F5 products. The malicious code was contacting the IP address 45.9.150.144 using SSL with forged Kaspersky certificates.

“After further lookup, we confirmed that this sample was adapted from the leaked Hive project server source code from CIA. This is the first time we caught a variant of the CIA HIVE attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33,” Netlab said in a report.

The xdr33 backdoor is designed to collect valuable data and provide a foothold for subsequent intrusions. It uses XTEA or AES algorithm to encrypt the original traffic, and protects traffic using SSL with Client-Certificate Authentication mode enabled.

“In terms of function, there are two main tasks: beacon and trigger, of which beacon is periodically report sensitive information about the device to the hard-coded Beacon C2 and execute the commands issued by it, while the trigger is to monitor the NIC traffic to identify specific messages that conceal the Trigger C2, and when such messages are received, it establishes communication with the Trigger C2 and waits for the execution of the commands issued by it,” the researchers explained.

“These modifications to xdr33 are not very sophisticated in terms of implementation, and coupled with the fact that the vulnerability used in this spread is N-day, we tend to rule out the possibility that the CIA continued to improve on the leaked source code and consider it to be the result of a cyber attack group borrowing the leaked source code.”

Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023