In October 2022, researchers found a suspicious ELF file that propagated via an F5 vulnerability with zero VT detection and communicated with an IP address using SSL with forged Kaspersky certificates. Netlab recently released a report confirming that this sample was adapted from the leaked Hive project server source code from the U.S. CIA.
Unfolding the mystery
This new variant of the HIVE kit, named Xdr33, mainly functions as a backdoor. It collects sensitive information and provides a foothold for subsequent intrusions.
It uses AES or XTEA algorithm to encrypt the original traffic and uses SSL with Client-Certificate Authentication mode enabled, to protect the network communication traffic.
The backdoor performs two main tasks: beacon and trigger. Beacon periodically reports PID, MAC, SystemUpTime, process, and network-related device information to the hard-coded C2 and executes the commands issued by it.
Trigger’s primary function is to monitor the NIC traffic to identify specific messages that conceal its C2. Subsequently, it establishes communication with the C2 in the Trigger payload and waits for the execution of the commands issued by it.
Sophistication level
Compared with the original leaked HIVE source code, Xdr33 has been modified and these modifications are not very sophisticated in terms of implementation.
xdr33 has been updated with new CC instructions (some instruction category in microprocessors), wrapping or expanding functions, and reordered and expanded structs.
Moreover, it has a modified Trigger message format, and new CC operations were added to the Beacon task.
These modifications are coupled with the fact that the vulnerability used in this spread is N-day.
Conclusion
Leak and reuse of CIA’s resources by malicious groups could have serious national security implications, putting connected corporations at risk of exploitation. With such threats looming, government agencies and organizations should reassess their security posture and equip themselves with ample cybersecurity shields to reduce the risks.