Cyber Security News

Hackers Using Leaked CIA’s Hive Multi-Platform Attack Kit in the Wild

It has been reported that a group or individual, whose identity is currently unknown, has released a new “backdoor.” This backdoor has been designed to function in a similar manner to a piece of malware known as “Hive,” which was developed by the United States Central Intelligence Agency (CIA). 

The source code for Hive was made publicly available by the organization known as WikiLeaks in November 2017. 

This means that anyone with knowledge of programming and access to the leaked source code could potentially create their own version of the malware, and it is believed that the unidentified actors in question have used this information to develop their own version of the malware.

CIA’s Hive Multi-Platform Attack Kit

For the first time, the honeypot system of 360Netlab detected a variant of the CIA Hive attack kit in its natural environment. The experts have named this variant “xdr33” due to the presence of a Bot-side certificate, CN=xdr33 embedded within it.

An N-day security vulnerability in F5 appliances is believed to be the source of xdr33. SSL with forged Kaspersky certificates is used to communicate with the command-and-control server.

A Chinese cybersecurity firm claims that the intention behind the backdoor is to harvest sensitive information by exploiting a vulnerability and then use a launchpad to launch an intrusion into other systems. 

This new implementation brings new functionality and instructions to Hive, as well as a number of implementation changes that improve it upon Hive in many ways.

In the following diagram, we can see how the functional schematics are laid out:-

Hackers Using Leaked CIA’s Hive

Based on the comparison with the HIV source code, the following five areas have been updated in xdr33:-

  • New CC instructions have been added
  • Wrapping or expanding functions
  • Structs have been reordered and extended
  • Trigger message format
  • Addition of CC operations to the Beacon task

ELF is designed to operate as a “Beacon” by regularly sending information about the infected system (known as “system metadata”) to a remote server controlled by the attackers. 

Additionally, the malware is capable of executing commands issued by the C2 server, allowing the attackers to control the infected system remotely.

Beacon C2 and xdr33 communicate using the following four steps as a result of the communication process and here they are mentioned below:-

  • Two-way SSL authentication
  • Obtain XTEA key
  • Report XTEA encrypted device information to C2
  • Execute the commands sent by C2

There is also a “Trigger module” that monitors network traffic for a specific “trigger” packet. 

When the trigger packet is detected, the malware extracts the IP address of the C2 server and establishes a connection to it. The malware then waits for commands to be sent by the C2 server and executes them. 

In other words, the malware is configured to wait passively for a specific signal or command to activate it and connect to the C2 server. This trigger mechanism is used to evade detection and stay hidden until it receives the command to execute its malicious actions.

As compared to the “Beacon C2” method, the Trigger C2 method differs in several ways and mainly in terms of communication.

The Bot and Trigger C2 establish a shared key using a Diffie-Hellman key exchange. This key is then used to create a second layer of encryption using the AES algorithm, which establishes a stronger level of encryption.

Network Security Checklist – Download Free E-Book

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

10 Best Linux Firewalls In 2024

At present, many computers are connected via numerous networks. Monitoring all traffic and having something…

7 mins ago

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

9 hours ago

Beware of Free VPNs that Install Malicious Botnets

Virtual Private Networks (VPNs) have become essential tools for internet users. However, the allure of…

13 hours ago

HPE Critical 3PAR Processor Flaw Let Remote Attackers Bypass Authentication

Hewlett Packard Enterprise (HPE) has addressed a critical vulnerability in its 3PAR Service Processor software…

16 hours ago

Chrome Security Update: Patch for Multiple Flaws that Leads to Remote Code Execution

Google has announced the release of Chrome 126, a critical security update that addresses 10…

17 hours ago

CrowdStrike Update Pushing Windows Machines Into a BSOD Loop

A recent update to the CrowdStrike Falcon sensor is causing major issues for Windows users…

18 hours ago