Kaspersky discovered a previously unknown APT group, tracked as DarkUniverse , by analyzing Shadow Brokers’ “Lost in Translation” data dump.
In 2017, a hacker group known as the Shadow Brokers stolen malware and hacking tools from the arsenal of the NSA-Linked
The dump also included an intriguing Pyton script named
The analysis of the script revealed the existence of a mysterious APT group tracked by Kaspersky Lab as ‘

The researchers assess with medium confidence that DarkUniverse is under the ItaDuke umbrella of activities due to unique code overlaps. APT group has been active at least since 2013, it leverages PDF zero-day exploits to drop malware on the target systems and Twitter accounts to pass C2 URLs.
The
The threat actors compiled each malware immediately before sending it and always used the latest available version of the executable. Experts noticed that attackers were resourceful, they noticed that the framework evolved over the time in a significant way.
The executable file embedded in the documents drops two dynamic-link libraries on the target system, the updater
The updater
“The glue30.dll malware module provides
“The msvcrt58.sqt module intercepts unencrypted POP3 traffic to collect email conversations and victims’ credentials. This module looks for traffic from the following processes:
- outlook.exe;
- winmail.exe;
- msimn.exe;
- nlnotes.exe;
- eudora.exe;
- thunderbird.exe;
- thunde~1
. exe ; - msmsgs.exe;
- msnmsgr.exe.”
Kaspersky identified around 20 victims in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates, but experts believe that the number of victims between 2009 and 2017 was much greater.
Attackers used C2 servers
“
“The suspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available
|
(SecurityAffairs – APT, malware)