- A new variant of CIA’s Hive attack kit was spotted and named “xdr33” after its bot-side certificate “CN=xdr33”.
- The xdr33 variant of Hive can be used to access private data and act as a launching point for further attacks.
- 360 Netlab caught the file using SSL with forged Kaspersky certificates and upon further research, concluded that the sample was created using the previously leaked CIA’s Hive project server source code.
On October 21st of 2022, 360 Netlab caught a file using SSL with forged Kaspersky certificates, communicating with a suspicious IP. Kaspersky is a cybersecurity company that provides comprehensive protection against cyber threats. After digging deeper, it was found that the sample was created using CIA’s Hive project server source code that was leaked by WikiLeaks in November of 2017.
How it operates
This is the first time a variant of the CIA Hive attack kit was seen elsewhere, and it was named after its bot-side certificate, CN=xdr33. xdr33 acts as a backdoor, gathers private data, and serves as a base for additional intrusions. Once it reaches a device, xdr33 checks for root/admin permissions. If it does not have these permissions, it will print “insufficient permissions. try again…” and exit. Otherwise, it will initialize various runtime parameters. Finally, two functions, beacon_start and TriggerListen, are used to open the two tasks of Beacon and Trigger. The functional schematic is shown below:
Compared to the Hive source code, where it originated, xdr33 seems to have been updated in the following 5 areas:
- New CC instructions have been added.
- Wrapping or expanding functions.
- Structs have been reordered and extended.
- Trigger message format.
- Addition of CC operations to the Beacon task.
These changes to xdr33 seem to be not very difficult to implement and quite old, so the possibility of the CIA continuing to improve the leaked source code seems slim. Therefore, it is believed that a cybercriminal organization borrowed the leaked source code to accomplish its attack.
The code is simple and straightforward, and its main purpose is to download the next stage of the sample and disguise it as /command/bin/hlogd and install logd service for persistence.