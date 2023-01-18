Unknown, ergo non, identified authors have implemented a new backdoor which borrows its functionality from the malware suite cross-platform Hives of the Central Intelligence Agency (CIA) of the United States, the source code of which was released by WikiLeaks in November 2017.

However, this is not about user carelessness as in other cases.

“This is the first time we’ve spotted a variant of the CIA’s Hive attack kit on the web and named it xdr33 based on its embedded bot-side certificate CN=xdr33“, they have declared Alex Turing and Hui Wang of Qihoo Netlab 360 in a technical release released last week.

It would appear that xdr33 propagates by exploiting an unspecified N-day security vulnerability in F5 appliances by communicating with a command and control (C2) server using SSL with forged Kaspersky certificates.

The intent of the backdoor, according to the Chinese information security company, is to extrapolate sensitive information and to act as a springboard for subsequent intrusions; Hive has therefore been improved from the original CIA design with the addition of new C2 instructions and functionality, among many other changes.

The example ELF extension it also works like Beacons periodically exfiltrating system metadata to the remote server and executing commands issued by the C2.

This includes the ability to download and upload infected files, execute commands using cmd and launch shells (powershell), as well as updating and deleting traces of itself from the compromised host.

The malware also incorporates a Trigger module designed to intercept network traffic for a specific “trigger” packet in order to extract the C2 server declared in the IP packet payload, establish the connection and wait for the execution of commands sent by the C2.

“Note that Trigger C2 differs from Beacon C2 in communication details; after establishing an SSL tunnel, [il] bot and Trigger C2 use a key exchange Diffie-Hellman to establish a shared key, which is used in the AES algorithm to create a second layer of encryption“explained the researchers.

Technical analysis of the modified Hive malware kit

On October 21, 2022, 360Netlab’s honeypot system caught a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, cyber security researchers system noticed that it communicates with IP 45.9.150.144 using SSL with certificates Counterfeit Kaspersky.

Upon further research, it was found that this sample was adapted from the CIA’s leaked Project Hive server source code. This is the first time that a variant of the CIA’s HIVE attack kit has actually been revealed, and it has been named xdr33 after its embedded bot-side certificate CN=xdr33, as mentioned at the beginning of the article.

Hive uses the BEACON_HEADER_VERSION macro to define the specified version, which has a value of 29 in the Master branch of the source code and a value of 34 in xdr33; it is possible that xdr33 has already had several rounds of iterative updates. Compared to the HIVE source code, xdr33 has been updated in the following 5 areas:

New CC instructions have been added

Wrapping or expanding functions

The facilities have been rearranged and extended

Activation message format

Adding CC operations to the Beacon activity

These xdr33 modifications are not very sophisticated in terms of implementation, and coupled with the fact that the vulnerability used in this release is N-day, the possibility that the CIA continued to improve the leaked source code should be ruled out; the most plausible hypothesis is that, precisely, the source code of HIVE has been “enhanced” by third parties.