Stories
Slash Boxes
Comments

SoylentNews is people

DarkUniverse APT Uses Just-in-Time Malware Creation

posted by Fnord666 on Monday November 11 2019, @01:58PM   Printer-friendly
from the sounds-like-a-DC-comic dept.

upstart writes:

Submitted via IRC for chromas

DarkUniverse APT Uses Just-in-Time Malware Creation

A threat actor that has been active for at least eight years has been creating new malware samples just before delivering them to victims, Kaspersky Lab reports. 

Dubbed DarkUniverse, the adversary is described as the 27th function of a ShadowBrokers script that was included in the 2017 'Lost in Translation' leak and which was designed to check for traces of other APTs on the victim machine.

Code overlaps suggest that the hackers are likely part of the ItaDuke set of activities initially detailed in 2013, Kaspersky's security researchers say. 

The group appears to have been active between 2009 and 2017, and the employed malware samples reveal a variety of changes, with the most recent samples being totally different from the older ones. 

The malware was being disseminated using spear phishing emails. The messages were carefully tailored for each victim, to entice them into opening an attached malicious Microsoft Office document. An executable file embedded in the document would then begin the malicious routine, which started with dropping two files onto the system. 

The first is the updater.mod module, which is implemented as a dynamic-link library with only one exported function, and which ensures communication with the command and control (C&C) server. The second file is glue30.dll, a module that provides keylogging functionality. 

Persistence was achieved through a link file placed in the startup folder. 

Also at BleepingComputer

Original Submission

 
This discussion has been archived. No new comments can be posted.
DarkUniverse APT Uses Just-in-Time Malware Creation | Log In/Create an Account | Top | 11 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: -1, Troll) by Anonymous Coward on Monday November 11 2019, @02:26PM (3 children)

    by Anonymous Coward on Monday November 11 2019, @02:26PM (#918931)

    Seriously. Email has been 100% spam for at least ten years. I don't even open any email anymore.

    Important communication is done by phone or Slack. Email is totally worthless.

    Starting Score:    0  points
    Moderation   -1  
       Troll=1, Disagree=1, Total=2
    Extra 'Troll' Modifier   0  
    Total Score:   -1  

  • (Score: 2) by SomeGuy on Monday November 11 2019, @03:24PM (1 child)

    by SomeGuy (5632) on Monday November 11 2019, @03:24PM (#918956)

    E-mail is not locked in to a specific technology or vendor. It offers versatilely that is not available elsewhere. E-mail is extremely valuable to those that know what they are doing.

    • (Score: 2) by ikanreed on Monday November 11 2019, @03:34PM

      by ikanreed (3164) Subscriber Badge on Monday November 11 2019, @03:34PM (#918960) Journal

      SMS is also an open protocol. The entire extent of vendor lock-in for SMS comes from how expensive the hardware is.

  • (Score: 2) by DannyB on Monday November 11 2019, @06:25PM

    by DannyB (5839) Subscriber Badge on Monday November 11 2019, @06:25PM (#918996) Journal

    Important communication is done by phone or Slack.

    Never heard of Slack. I thought all important communication, especially government communication is done by Twitter.

    --
    To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.