In April 2017, a hacking group known as The ShadowBrokers released a data dump containing malware and hacking tools stolen from the arsenal of the NSA-Linked Equation Group. Among other things, the leak named ‘Lost in Translation’ contained an interesting script that checked for traces of other APTs in the compromised system, a new report from Kaspersky Lab revealed.

During the analysis of the script, the researchers discovered the existence of an APT group, which they dubbed ‘DarkUniverse’. This group was active for at least eight years, from 2009 to 2017 and appears to be a part of the ItaDuke umbrella of activities due to unique code overlaps. ItaDuke APT has been in action since at least 2013 and has been known to leverage PDF zero-day exploits to drop malware on the target systems and Twitter accounts to pass C2 URLs.

The DarkUniverse APT distributed malware through spear-phishing attacks using weaponized Microsoft Office documents, with each email prepared separately for each victim. The threat actor compiled each sample immediately before being sent and used latest available version of the malware executable. The experts have also noted that over the time the DarkUniverse framework evolved significantly.

The executable file embedded in the documents drops two dynamic-link libraries on the target system, the updater.mod and glue30.dll. The first one is responsible for providing communication with the C2 server, providing the malware integrity and persistence mechanism and managing other malware modules while the second one acts as a keylogger.

“The glue30.dll malware module provides keylogging functionality. The updater.mod module uses the Win API function SetWindowsHookExW to install hooks for the keyboard and to inject glue30.dll into processes that get keyboard input. After that, glue30.dll loads and begins intercepting input in the context of each hooked process,” according to the report.

In addition to establishing communication channel with attackers’ command and control server, the updater.mod also downloads additional malware modules, such as dfrgntfs5.sqt (a module for executing commands from the C2); msvcrt58.sqt (a module for stealing mail credentials and emails); zl4vq.sqt (legitimate zlib library used by dfrgntfs5); %victim_ID%.upe (optional plug-in for dfrgntfs5). All malware modules are encrypted with a custom algorithm.

The msvcrt58.sqt module intercepts unencrypted POP3 traffic to collect email conversations and victims’ credentials. This module looks for traffic from the following processes:

outlook.exe;

winmail.exe;

msimn.exe;

nlnotes.exe;

eudora.exe;

thunderbird.exe;

thunde~1.exe;

msmsgs.exe;

msnmsgr.exe.

The DarkUniverse framework has an impressive set of capabilities, including the ability to collect and decrypt credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and Windows Live Mail, Windows Live Messenger, and also Internet Cache, brute-force IP range with specified username and password, collect system info, uninstall itself, and provide basic MITM functionality.

Kaspersky identified around 20 victims in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates, but the researchers believe that the number of victims between 2009 and 2017 was much higher. The victims included both civil and military organizations.

“DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years. The malware contains all the necessary modules for collecting all kinds of information about the user and the infected system and appears to be fully developed from scratch.”

“The attackers were resourceful and kept updating their malware during the full lifecycle of their operations, so the observed samples from 2017 are totally different from the initial samples from 2009. The suspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations,” Kaspersky concluded.