(PatriotWise.com) – A new software backdoor that emulates the US Central Intelligence Agency (CIA)-created HIVE malware suite has been deployed by bad actors. The CIA software works across multiple platforms.
HIVE’s source code was leaked by WikiLeaks in November 2017. The new backdoor, called xdr33, is built similarly to the framework and features of the CIA software.
Hui Wang and Alex Turing of Qihoo Netlab 360, who named xdr33, called the backdoor a “variant” of the “HIVE attack kit.” The name of the backdoor was selected because it has a Bot-side certificate called CN=xdr33 embedded in it.
“[I]ts main purpose is to collect sensitive information and provide a foothold for subsequent intrusions,” they wrote in their report exposing xdr33.
Wang and Turing reported that when xdr33 is deployed on a device that has been compromised, the first thing it does is decrypt all the machine’s configuration information. Then, the backdoor analyzes whether it has root permissions and permission to access the machine as an administrator.
When the backdoor gains access, it initializes multiple processes, including runtime interval, PORT, and C2. Then, it uses functions called TriggerListen and beacon_start to open tasks called Trigger and Beacon.
Turing and Wang ran the backdoor and reported back on its functionality. They also reverse-analyzed xdr33’s functionalities to get a good read on how it works.
xdr33 exploits an “unspecified N-day security vulnerability in F5 appliances.” It uses a C2, or command-and-control, server in order to establish communications within the device. The server is an “SSL with forged Kaspersky certificates.”
Allegedly, the intentions behind xdr33 involve extracting sensitive data–and, in addition, launching later system hacks if desired. Because it has more functionalities, C2 instructions, and tweaks than HIVE, it actually works more effectively.
xdr33 is capable of both uploading and downloading files. Most nefariously, it can wipe any hints of its presence from a computing system, so users may never know their device or network has been infiltrated.
Copyright 2023, PatriotWise.com
