Newly Discovered DarkUniverse APT Linked to ItaDuke Operations

Delaware, USA – November 6, 2019 – Lost in Translation leak released by Shadow Brokers continues to surprise and reveal information about previously unknown APT groups. Among the published tools there was also a script that checked systems attacked by the Equation Group for the presence of malware developed by other threat actors. The signature analysis allowed Kaspersky Lab experts to identify DarkUniverse APT, which used a regularly updated modular framework in highly targeted attacks in 2009 – 2017. Unique code overlaps allow stating with moderate confidence that DarkUniverse APT spread ItaDuke malware in 2013 exploiting zero-day in Adobe Acrobat Reader. Adversaries remained undetected for eight years thanks to the rare use of the framework and spear-phishing emails unique per each victim. In every detected case, DarkUniverse APT demonstrated deep knowledge about the intended victim when composing the text of the letter convincing them to open the attached Microsoft Word document with an embedded malicious executable that dropped two files into the attacked system. Both files were compiled shortly before the attack, and each new version of the malware was different from its predecessor, in addition, a separate command and control infrastructure was prepared for each target. Depending on the victim, cybercriminals downloaded the necessary modules for cyber espionage activity. So far, about 20 victims have been identified in EMEA and Africa, but experts suggest that there are many more.

The group traces are lost after the dump is published. It is likely that DarkUniverse discovered the signatures of their tools, halted the campaign, and started using other malware that was not yet known to researchers. It is unlikely that the APT group that used zero-days and remained undetected for such a long time simply stopped its activity. To uncover attacks of advanced hacking groups by indirect evidence, you can use your SIEM and the APT Framework rule pack: