27 September 2023

Dark matter: How DarkUniverse hackers flew under the radar

Start the conversation

Dan Goodin* says researchers have discovered a new hacking group known as DarkUniverse that has gone undetected for at least eight years.


Image: Gerd Altmann

With a tip that came from one of the biggest breaches in US National Security Agency (NSA) history, researchers have discovered a new hacking group that infects targets with a previously unknown piece of advanced malware.

Hints of the Advanced Persistent Threat (APT) group first emerged in April 2017.

That’s when a still-unidentified group calling itself Shadow Brokers published exploits and code developed by, and later stolen from, the NSA.

Titled ‘Lost in Translation’, the dispatch was best known for publishing the Eternal Blue exploit that would later power the WannaCry and NotPetya worms that caused tens of billions of dollars’ worth of damage worldwide.

But the dump included something else – a script that checked compromised computers for malware from a variety of APTs.

Researchers from Kaspersky Lab said one of the APTs described in the script started operations no later than 2009 and then vanished in 2017, the same year the Shadow Brokers post was published.

Dubbed DarkUniverse, the group is probably tied to ItaDuke – a group that has actively targeted Uyghur and Tibetans since 2013.

The link assessment is based on unique code overlaps in both groups’ malware.

Going to great lengths

Digging further into DarkUniverse, the researchers found that the group went to great lengths to infect and surveil targets.

For instance, spearphishing emails were prepared separately for each target to ensure they grabbed recipients’ attention and induced them to open an attached Microsoft document.

Additionally, the full-featured malware was developed from scratch and evolved considerably over the eight year span of the group’s known existence.

Each malware sample was compiled immediately before being sent to include the latest available version of the executable.

“The attackers were resourceful and kept updating their malware during the full life cycle of their operations, so the observed samples from 2017 are totally different from the initial ones from 2009,” Kaspersky researchers wrote in a post published last week.

“The suspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations.”

DarkUniverse’s modular malware was capable of collecting a wide range of information about the user and the infected system over an extended period.

Data collected included:

  • Keyboard input
  • Email conversations
  • Credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and Windows Live Mail, Windows Live Messenger, and Internet Cache
  • Screenshots
  • Files from specific directories
  • Data from remote servers and shared resources
  • A list of files of remote servers if specified credentials are valid
  • Information from the Windows registry.

The malware also had the ability to change DNS settings, perform basic man-in-the-middle attacks and download and execute files.

Control servers were mostly stored on a mydrive.ch cloud storage service.

DarkUniverse operators created a new account, along with additional malware modules and configuration files, for each target.

The researchers know of 20 infected targets geolocated in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus, and the United Arab Emirates.

The targets were both civilian and military organisations.

The researchers suspect the number of infections between 2009 and 2017 was much higher.

* Dan Goodin is the Security Editor at Ars Technica. He tweets at @dangoodin001.

This article first appeared at arstechnica.com

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.