Antivirus company Kaspersky uncovered an advanced persistent threat (APT) group that had been operating stealthily from at least 2009 until 2017. Kaspersky has named the newly discovered APT group DarkUniverse.
The security vendor uncovered the threat as part of its investigation of the “Shadow Brokers” data leak from 2017. DarkUniverse used spear phishing to spread its own malware via malicious Microsoft Office documents. According to Kaspersky, each email was specifically crafted for each high-value targets.
Kaspersky believes that DarkUniverse is part of the ItaDuke, a malicious group that has been known since 2013, because much of the exploitation code used by the two groups overlaps. ItaDuke has primarily infected victims via spear phishing with malicious PDF files and has also used Twitter accounts to store command and control (C2) server URLs.
The DarkUniverse hackers seem to have been well-funded, as their tools evolved significantly over the years. "Since the framework evolved from 2009 to 2017, the last releases are totally different from the first ones," Kaspersky said.
Kaspersky also noted that the malware framework DarkUniverse used includes all the necessary modules needed to collect all kinds of information about the target victims and their devices. The framework seems to have been developed from scratch.
According to Kaspersky, DarkUniverse seemingly suspended its operations when the Shadow Brokers' data leak, containing many NSA tools, went public in 2017. It's not clear whether or not this was a coincidence, or if the DarkUniverse groups has ties to the NSA.