It has been reported that a group or individual, whose identity is currently unknown, has released a new “backdoor.” This backdoor has been designed to function in a similar manner to a piece of malware known as “Hive,” which was developed by the United States Central Intelligence Agency (CIA).
The source code for Hive was made publicly available by the organization known as WikiLeaks in November 2017.
This means that anyone with knowledge of programming and access to the leaked source code could potentially create their own version of the malware, and it is believed that the unidentified actors in question have used this information to develop their own version of the malware.
For the first time, the honeypot system of 360Netlab detected a variant of the CIA Hive attack kit in its natural environment. The experts have named this variant “xdr33” due to the presence of a Bot-side certificate, CN=xdr33 embedded within it.
An N-day security vulnerability in F5 appliances is believed to be the source of xdr33. SSL with forged Kaspersky certificates is used to communicate with the command-and-control server.
A Chinese cybersecurity firm claims that the intention behind the backdoor is to harvest sensitive information by exploiting a vulnerability and then use a launchpad to launch an intrusion into other systems.
This new implementation brings new functionality and instructions to Hive, as well as a number of implementation changes that improve it upon Hive in many ways.
In the following diagram, we can see how the functional schematics are laid out:-
Based on the comparison with the HIV source code, the following five areas have been updated in xdr33:-
ELF is designed to operate as a “Beacon” by regularly sending information about the infected system (known as “system metadata”) to a remote server controlled by the attackers.
Additionally, the malware is capable of executing commands issued by the C2 server, allowing the attackers to control the infected system remotely.
Beacon C2 and xdr33 communicate using the following four steps as a result of the communication process and here they are mentioned below:-
There is also a “Trigger module” that monitors network traffic for a specific “trigger” packet.
When the trigger packet is detected, the malware extracts the IP address of the C2 server and establishes a connection to it. The malware then waits for commands to be sent by the C2 server and executes them.
In other words, the malware is configured to wait passively for a specific signal or command to activate it and connect to the C2 server. This trigger mechanism is used to evade detection and stay hidden until it receives the command to execute its malicious actions.
As compared to the “Beacon C2” method, the Trigger C2 method differs in several ways and mainly in terms of communication.
The Bot and Trigger C2 establish a shared key using a Diffie-Hellman key exchange. This key is then used to create a second layer of encryption using the AES algorithm, which establishes a stronger level of encryption.
Network Security Checklist – Download Free E-Book
Critical security vulnerabilities have been identified in industrial camera systems widely deployed across Japanese manufacturing…
A sophisticated new malware strain dubbed SectopRAT has emerged, leveraging Cloudflare's Turnstile challenge system as…
March 2025 saw a sharp uptick in cyber threats that put both individual users and…
A sophisticated phishing campaign dubbed the "Clickflix Technique" has emerged targeting YouTube content creators through…
The NPM package repository remains active, and despite a decline in malware numbers between 2023…
In a startling revelation, a new report indicates that three out of four enterprise users…