DarkUniverse – The Mysterious APT Framework #27 (Nov 5, 2019)
Researchers at Kaspersky have identified a new Advanced Persistent Threat (APT) group while investigating a script found within the 2017 ShadowBroker “Lost In Translation” leak. The APT, dubbed “DarkUniverse,” is a cyber-espionage group with approximately 20 victims in its telemetry between 2009 and 2017, including civilian and military organizations in Afghanistan, Belarus, Ethiopia, Iran, Russia, Sudan, Syria, Tanzania, and the United Arab Emirates. DarkUniverse spread its malware in a highly-targeted, customized spearphising campaign, prompting email recipients to open an attached malicious Microsoft Office document. The malware contains all the modules necessary for collecting and decrypting username and password credentials, as well as the ability to capture screenshots and access machine registry information. According to Kaspersky, unique code overlaps suggest “DarkUniverse” is connected with the ItaDuke set of activities, and that operations appear to have suspended after the 2017 ShadowBroker leak.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.