Unknown attackers developed a new backdor, whose functions borrowed from the multi -platform package of harmful HIVE programs belonging to the CIA of the United States. HIVE source code was published in November 2017.
“We first meet in the public domain based on the CIA HIVE CIA. We named it XDR33 in honor of the built -in certificate CN = XDR33,” said Alex Thuring and Hui Van from the QIHOO 360 network laboratory in a technical report published in the past Week.
It is reported that the XDR33 spreads through the use of unsecured security vulnerability. It interacts with the control and control server (C2) according to the SSL protocol, using fake certificates of Kaspersky Laboratory.
Work scheme xDR33
The goal of BECDOR, according to the QIHOO 360 report, is to collect confidential information and prepare the ground for subsequent attacks. Hackers Nehilo pumped the original Hive structure, adding new C2 instructions and functions to it.
The executable file is considered, including as a lighthouse. He periodically transfers systemic metadata to a remote server and performs commands coming from C2.
Such a scheme of work allows the backdor to make a full exchange of files, perform operations with the command line, run other programs and even wash their tracks from the compromised device.