New Backdoor Created Using Leaked CIA’s Hive Malware Discovered in the Wild

Jan 16, 2023Ravie LakshmananThreat Landscape / Malware

Unidentified risk actors have deployed a brand new backdoor that borrows its options from the U.S. Central Intelligence Agency (CIA)’s Hive multi-platform malware suite, the supply code of which was launched by WikiLeaks in November 2017.

“This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33,” Qihoo Netlab 360’s Alex Turing and Hui Wang mentioned in a technical write-up printed final week.

xdr33 is alleged to be propagated by exploiting a safety vulnerability in the F5 equipment and speaking with a command-and-control (C2) server utilizing SSL with cast Kaspersky certificates.

The intent of the backdoor, per the Chinese cybersecurity agency, is to reap delicate data and act as a launchpad for subsequent intrusions. It improves upon Hive by including new C2 directions and functionalities, amongst different implementation adjustments.

The ELF pattern additional operates as a Beacon by periodically exfiltrating system metadata to the distant server and executing instructions issued by the C2.

CIA's Hive Malware
CIA's Hive Malware

This contains the means to obtain and add arbitrary information, run instructions utilizing cmd, and launch shell, in addition to updating and erasing traces of itself from the compromised host.

The malware additionally incorporates a Trigger module that is designed to listen in on community site visitors for a selected “trigger” packet in order to extract the C2 server talked about in the IP packet’s payload, set up connection, and watch for the execution of instructions issued by the C2.

“It is worth noting that Trigger C2 differs from Beacon C2 in the details of communication; after establishing an SSL tunnel, [the] bot and Trigger C2 use a Diffie-Helllman key exchange to establish a shared key, which is used in the AES algorithm to create a second layer of encryption,” the researchers defined.

Found this text fascinating? Follow us on Twitter and LinkedIn to learn extra unique content material we publish.

//e&&!t&&(jQuery.ajax({url:” t=””,s=””,r=0;r<e.feed.entry.length;r++){for(var a,l=0;l<e.feed.entry[r].link.length;l++)if("alternate"==e.feed.entry[r].link[l].rel){t=e.feed.entry[r].link[l].href;break}100<(a=(a="content"in e.feed.entry[r]?e.feed.entry[r].content.$t:"summary"in e.feed.entry[r]?e.feed.entry[r].summary.$t:"").replace(/]*>/g,””)).length&&(a=a.substring(0,90));var n=(n=e.feed.entry[r].title.$t).substring(0,58),o=(o=e.feed.entry[r].media$thumbnail.url.replace(//s72-c-e100/,”/s260-rj-e365″));s+=’

'+n+'
‘+n+’…
‘+a+”…

“}s+=””,document.getElementById(“consequence”).innerHTML=s}}),t=!0)})});
//]]>

Leave a Comment