• XRATOR
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Malware

New CIA-Linked Malware Discovered in the Wild

Reflecting on the Risks of Leaks Involving State-Sponsored Cyber Espionage Toolkit like Vault7 and Vault8.

Gert Van de VenbyGert Van de Ven
January 17, 2023
in Cyber Attacks, Malware, News
0
New CIA-Linked Malware Discovered in the Wild

On October 21, 2022, Chinese cybersecurity firm Qihoo Netlab 360 discovered a new malware, named xdr33, in the wild. The malware is believed to be a variant of the U.S. Central Intelligence Agency (CIA)’s Hive multi-platform malware suite, the source code of which was leaked by WikiLeaks in November 2017 as part of its Vault8 leaks.

APT arsenal exposed in public

In august 2016, the hacking group known as ShadowBrokers leaked a large number of hacking tools and exploits believed to have been developed by the U.S. National Security Agency (NSA). Then in march 2017, WikiLeaks published a set of documentation known as Vault7 “Hive”, followed in november 2017 by the Vault8 leaks. The Hive malware suite was in the Vault 8 leaks. The “Vaults” leaks were believed to be used by the CIA for covert cyber operations. These leaks exposed the capabilities of the CIA for multi-platform covert operations.

The cybersecurity community reacted to the ShadowBrokers and Vault7/Vault8 leaks with concern and condemnation. The release of these tools and exploits, developed by a nation-state hacking group, into the public domain was seen as a significant threat to cybersecurity. Many security experts warned that the tools and techniques exposed in the leaks could be repurposed and used by malicious actors to launch cyber attacks. They were rigth, including the infamous Wannacry and NotPetya outbreak.

The Vault7 and Vault8 leaks were particularly troubling because they exposed the capabilities of the CIA for covert cyber operations. The Hive malware suite, in particular, was seen as a powerful and versatile tool that could be used to gain a foothold on a wide range of systems and platforms. This raised concerns about the ability of the CIA to conduct covert operations on a large scale and the potential for these tools to be used for malicious purposes.

The leaks also highlighted the ongoing challenges of securing government-developed cyber tools and the need for more robust security measures to protect against such leaks in the future. It also raised questions about the ethics of state-sponsored hacking and the implications of the use of such tools for civil liberties and human rights.

The xdr33 Malware

xdr33 is believed to be propagated by exploiting an unspecified N-day security vulnerability in F5 appliances. It communicates with a command-and-control (C2) server using SSL with forged Kaspersky certificates. The intent of the backdoor, per the Chinese cybersecurity firm, is to harvest sensitive information and act as a launchpad for subsequent intrusions. It improves upon Hive by adding new C2 instructions and functionalities, among other implementation changes.

The malware operates as a Beacon by periodically exfiltrating system metadata to the remote server and executing commands issued by the C2. This includes the ability to download and upload arbitrary files, run commands using cmd, and launch shell, in addition to updating and erasing traces of itself from the compromised host. The malware also incorporates a Trigger module that’s designed to eavesdrop on network traffic for a specific “trigger” packet in order to extract the C2 server mentioned in the IP packet’s payload, establish connection, and wait for the execution of commands sent by the C2.

Conclusion

The discovery of xdr33 serves as a reminder of the ongoing risks posed by leaks of nation-state hacking tools. As more and more powerful tools and techniques are exposed, the threat landscape becomes increasingly complex. Organizations must stay vigilant and take proactive measures to protect themselves from these types of threats.

Leaks like ShadowBrokers and Vault7/Vault8 have significant implications for cybersecurity. These leaks not only expose the capabilities of nation-state hacking groups but also provide malicious actors with access to powerful tools that can be repurposed for their own use. The discovery of xdr33 is a reminder of the ongoing risks posed by these leaks and the need for constant vigilance and proactive measures to mitigate them.

 

Tags: CIACyberespionageNSAransomwareShadowBrokersVault7Vault8Wikileaksxdr33

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • Cybercriminals regularly hack into individual and organization network. They may steal password to sell them on the darkweb.

    4 websites to check if your password is in the darkweb

    0 shares
    Share 0 Tweet 0
  • 10 Essential Tools for IoT Pentesting

    0 shares
    Share 0 Tweet 0
  • Threat Modeling : from Software Security to Cyber Risk Management

    0 shares
    Share 0 Tweet 0
  • 8 TV Shows and Movies about Personal Data Abuse

    0 shares
    Share 0 Tweet 0
  • The Code Knight: Mastering the Craft of Defensive Programming

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Uncategorized
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Preferences
{title} {title} {title}