Antivirus company Kaspersky uncovered an advanced persistent threat (APT) group that had been operating stealthily from at least 2009 until 2017. Kaspersky has named the newly discovered APT group DarkUniverse.
The security vendor uncovered the threat as part of its investigation of the “Shadow Brokers” data leak from 2017. DarkUniverse used spear phishing to spread its own malware via malicious Microsoft Office documents. According to Kaspersky, each email was specifically crafted for each high-value targets.
Kaspersky believes that DarkUniverse is part of the ItaDuke, a malicious group that has been known since 2013, because much of the exploitation code used by the two groups overlaps. ItaDuke has primarily infected victims via spear phishing with malicious PDF files and has also used Twitter accounts to store command and control (C2) server URLs.
The DarkUniverse hackers seem to have been well-funded, as their tools evolved significantly over the years. "Since the framework evolved from 2009 to 2017, the last releases are totally different from the first ones," Kaspersky said.
Kaspersky also noted that the malware framework DarkUniverse used includes all the necessary modules needed to collect all kinds of information about the target victims and their devices. The framework seems to have been developed from scratch.
According to Kaspersky, DarkUniverse seemingly suspended its operations when the Shadow Brokers' data leak, containing many NSA tools, went public in 2017. It's not clear whether or not this was a coincidence, or if the DarkUniverse groups has ties to the NSA.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen — Chinese and US researchers show new side channel can reproduce fingerprints to enable attacks
Russian military botnet discovered on 1000+ compromised routers — FBI deactivated Moobot by taking control of impacted routers