silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,148
A threat actor that has been active for at least eight years has been creating new malware samples just before delivering them to victims, Kaspersky Lab reports. Dubbed DarkUniverse, the adversary is described as the 27th function of a ShadowBrokers script that was included in the 2017 ‘Lost in Translation’ leak and which was designed to check for traces of other APTs on the victim machine.
The malware was being disseminated using spear phishing emails. The messages were carefully tailored for each victim, to entice them into opening an attached malicious Microsoft Office document. An executable file embedded in the document would then begin the malicious routine, which started with dropping two files onto the system.
The first is the updater.mod module, which is implemented as a dynamic-link library with only one exported function, and which ensures communication with the command and control (C&C) server. The second file is glue30.dll, a module that provides keylogging functionality.
Persistence was achieved through a link file placed in the startup folder.
In one campaign, the C&C servers were mostly based on cloud storage at mydrive.ch, with a different account registered for each victim. Additional malware modules and a configuration file were stored in those accounts, Kaspersky reports.