Image default

New Backdoor Created Using Leaked CIA’s Hive Malware Discovered in the Wild

Jan 16, 2023Ravie LakshmananThreat Landscape / Malware

CIA's Hive Malware

Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)’s Hive multi-platform malware suite, the source code of which was released by WikiLeaks in November 2017.

“This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33,” Qihoo Netlab 360’s Alex Turing and Hui Wang said in a technical write-up published last week.

xdr33 is said to be propagated by exploiting an unspecified N-day security vulnerability in F5 appliances. It communicates with a command-and-control (C2) server using SSL with forged Kaspersky certificates.

The intent of the backdoor, per the Chinese cybersecurity firm, is to harvest sensitive information and act as a launchpad for subsequent intrusions. It improves upon Hive by adding new C2 instructions and functionalities, among other implementation changes.

The ELF sample further operates as a Beacon by periodically exfiltrating system metadata to the remote server and executing commands issued by the C2.

CIA's Hive Malware CIA's Hive Malware

This includes the ability to download and upload arbitrary files, run commands using cmd, and launch shell, in addition to updating and erasing traces of itself from the compromised host.

The malware also incorporates a Trigger module that’s designed to eavesdrop on network traffic for a specific “trigger” packet in order to extract the C2 server mentioned in the IP packet’s payload, establish connection, and wait for the execution of commands sent by the C2.

“It is worth noting that Trigger C2 differs from Beacon C2 in the details of communication; after establishing an SSL tunnel, [the] bot and Trigger C2 use a Diffie-Helllman key exchange to establish a shared key, which is used in the AES algorithm to create a second layer of encryption,” the researchers explained.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Related posts

Australian Healthcare Sector Targeted in Latest Gootkit Malware Attacks

James Horns

Kinsing Cryptojacking Hits Kubernetes Clusters via Misconfigured PostgreSQL

James Horns

Google Rolling Out Privacy Sandbox Beta on Android 13 Devices

James Horns

Emotet Malware Makes a Comeback with New Evasion Techniques

James Horns

BitKeep Confirms Cyber Attack, Loses Over $9 Million in Digital Currencies

James Horns

CISOs Are Stressed Out and It’s Putting Companies at Risk

James Horns

Leave a Comment