Following its release by WikiLeaks in 2017, the CIA’s leaked Hive malware suite has been adapted by unidentified threat actors to be deployed as a new backdoor dubbed xdr33. It was spotted by Netlab 360’s Alex Turing and Hui Wang when the cybersecurity company’s honeypot system captured a suspicious ELS file propagating via F5 vulnerability with zero VT detection.
The main purpose of the backdoor is to collect system information and prepare for further intrusions. It uses forged Kaspersky certificates to communicate with its Command and Control server via SSL. The network traffic between xdr33 and its C2 server is encrypted with XTEA or AES with an additional layer of SSL with Client-Certificate Authentication mode to protect the traffic further.
It’s divided into two parts — Beacon and Trigger. The beacon periodically reports sensitive information about the infected device to the hard-coded C2 server and executes any commands it receives. The trigger monitors the NIC traffic to catch any concealed messages from trigger C2 and establishes communication to await further commands when such a message is received.
According to Netlab 360’s technical analysis, when compared head to head against Hive’s source code, xdr33 has been updated to add the following features.
- New C2 instructions.
- Functions have been wrapped or expanded.
- The trigger message uses a new format to hide activity.
- C2 operations have been added to the Beacon task.
- Reordering and extension of structs.
Overall, the malware can upload or download any files to or from the infected system, run commands using the Windows Command Prompt and launch the Windows shell. Finally, it can also update itself and remove any traces of its activity from the infected hosts’ system memory.
This is the first instance of such malware being captured in the wild. Since the malware can remove its traces from a compromised machine, it’s difficult to say at the moment how many victims it has had or whether or not there are any indicators of compromise (IOC).