CIA's Hive Multi-Platform Attack Kit

It has been reported that a group or individual, whose identity is currently unknown, has released a new “backdoor.” This backdoor has been designed to function in a similar manner to a piece of malware known as “Hive,” which was developed by the United States Central Intelligence Agency (CIA). 

The source code for Hive was made publicly available by the organization known as WikiLeaks in November 2017. 

This means that anyone with knowledge of programming and access to the leaked source code could potentially create their own version of the malware, and it is believed that the unidentified actors in question have used this information to develop their own version of the malware.

CIA’s Hive Multi-Platform Attack Kit

For the first time, the honeypot system of 360Netlab detected a variant of the CIA Hive attack kit in its natural environment. The experts have named this variant “xdr33” due to the presence of a Bot-side certificate, CN=xdr33 embedded within it.

EHA

An N-day security vulnerability in F5 appliances is believed to be the source of xdr33. SSL with forged Kaspersky certificates is used to communicate with the command-and-control server.

A Chinese cybersecurity firm claims that the intention behind the backdoor is to harvest sensitive information by exploiting a vulnerability and then use a launchpad to launch an intrusion into other systems. 

This new implementation brings new functionality and instructions to Hive, as well as a number of implementation changes that improve it upon Hive in many ways.

In the following diagram, we can see how the functional schematics are laid out:-

Hackers Using Leaked CIA's Hive
Hackers Using Leaked CIA’s Hive

Based on the comparison with the HIV source code, the following five areas have been updated in xdr33:-

  • New CC instructions have been added
  • Wrapping or expanding functions
  • Structs have been reordered and extended
  • Trigger message format
  • Addition of CC operations to the Beacon task

ELF is designed to operate as a “Beacon” by regularly sending information about the infected system (known as “system metadata”) to a remote server controlled by the attackers. 

Additionally, the malware is capable of executing commands issued by the C2 server, allowing the attackers to control the infected system remotely.

Beacon C2 and xdr33 communicate using the following four steps as a result of the communication process and here they are mentioned below:-

  • Two-way SSL authentication
  • Obtain XTEA key
  • Report XTEA encrypted device information to C2
  • Execute the commands sent by C2

There is also a “Trigger module” that monitors network traffic for a specific “trigger” packet. 

When the trigger packet is detected, the malware extracts the IP address of the C2 server and establishes a connection to it. The malware then waits for commands to be sent by the C2 server and executes them. 

In other words, the malware is configured to wait passively for a specific signal or command to activate it and connect to the C2 server. This trigger mechanism is used to evade detection and stay hidden until it receives the command to execute its malicious actions.

As compared to the “Beacon C2” method, the Trigger C2 method differs in several ways and mainly in terms of communication.

The Bot and Trigger C2 establish a shared key using a Diffie-Hellman key exchange. This key is then used to create a second layer of encryption using the AES algorithm, which establishes a stronger level of encryption.

Network Security Checklist – Download Free E-Book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.