A full cyber-espionage framework was active for at least eight years, research discovers
November 2019 by Kaspersky
Kaspersky researchers have reported their 2018 findings on the DarkUniverse – a mysterious advanced persistent threat (APT) framework that was active for at least eight years, from 2009 to 2017, and used for targeted attacks.
Targets of the APT were found in various Middle East and African countries, as well as in Russia and Belarus. The malware, which was spread via spear phishing, seems to have been developed from scratch and contained modules capable of collecting all kinds of information about the user and the infected system over an extended period of time, such as:
Files from specific directories
Data from remote servers and shared resources used by the victims
Alexander Fedotov, Kaspersky malware analyst comments: ‘The case of DarkUniverse is curious, because the samples observed from 2017 are totally different from the initial samples from 2009, which means that the attackers were resourceful enough to keep the malware up to date. Moreover, the unique code overlaps enable us to state with medium confidence that the DarkUniverse creators were connected with ItaDuke, which was first detected in 2013. This APT used PDF exploits to drop malware, and Twitter accounts to store command and control server URLs. The suspension of DarkUniverse operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations’.