'DarkUniverse' APT referenced in 2017 Shadow Brokers leak uncovered by Kaspersky
DarkUniverse developed its full-featured malware from scratch but went quiet shortly after the Shadow Brokers leak
Security researchers at Kaspersky have revealed details about a new advanced persistent threat (APT) group, called DarkUniverse, that was mentioned in the 2017 Shadow Brokers leaks.
In 2017, a group calling itself Shadow Brokers published a data dump, called "Lost in Translation," revealing the hacking tools developed by the US National Security Agency (NSA). It sought to sell them to the highest bidder - but attracted no bids. It subsequently released many of the malware tools in its trove.
According to Kaspersky, among the data dump was a script (sigs.py) that hackers used to check for the presence of other hacking groups, including one called DarkUniverse, in a breached system. In total, this script was able to detect 44 APTs in a compromised network.
DarkUniverse was active from 2009 to 2017, according to Kaspersky, and then disappeared from the scene following the ShadowBrokers leak.
When active, it targeted various organisations in Iran, Syria, Russia, Afghanistan, United Arab Emirates, Belarus, and several other countries. In total, it breached nearly 20 targets, including telecoms, medical institutions, and military agencies.
The nature of those targets indicate that it was a state-backed cyber crime organisation, rather than one motivated by profit.
To infect its targets, the group invested a large amount of time and effort on individual attacks. For example, separate phishing emails were created for each target to ensure that the message induces recipients to open attached documents containing malware.
The group also developed its full-featured malware from scratch, evolving it considerably during the life cycle of their operations. That's why the malware samples from 2017 were found to be completely different from the samples from 2009.
DarkUniverse's malware was capable of stealing various details from the infected systems, including:
- Screenshots
- Email conversations
- Keyboard input
- Files from directories
- Information from Windows registry
- User name/password from Internet Explorer, Outlook Express, Windows Live Messenger, Windows Mail, etc.
While Kaspersky refrained from speculating in its report what nation-state could have benefited from the activities of DarkUniverse, it suspects the group could be linked to ItaDuke, a hacking group that has been targeting Tibetans and Uyghur communities since 2013.
The suspected link between ItaDuke and DarkUniverse is based on the overlapping of the codes in both groups' malwares.
"DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years," Kaspersky researchers wrote in a blog post.
"The suspension of its operations may be related to the publishing of the 'Lost in Translation' leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations," they added.