Recent reports indicate that a new backdoor, deriving its functionalities from the CIA’s Hive multi-platform malware suite, has been deployed by unidentified threat actors. This suite, whose source code was exposed by WikiLeaks in November 2017, has shown new adaptability in the wild.

Qihoo Netlab 360’s Alex Turing and Hui Wang reported the detection of this variant, code-named xdr33, which is identified by its embedded Bot-side certificate CN=xdr33. This announcement marks the first recorded encounter with a variation of the CIA Hive tool since the original leak, highlighting ongoing threats in the cybersecurity landscape.

The malware is reportedly disseminated through exploitation of an undisclosed N-day vulnerability in F5 appliances, allowing it to establish communications with a command-and-control (C2) server using SSL, fortified with forged Kaspersky certificates for an added layer of disguise.

According to Qihoo’s analysis, the primary function of the xdr33 backdoor is to extract sensitive data, paving the way for further intrusions. This iteration shows enhancements over its predecessor, integrating new C2 instructions and additional capabilities to bolster its stealth and operational effectiveness.

In terms of functionality, the ELF sample in use acts as a Beacon, systematically exfiltrating system metadata to the remote server and executing commands from the C2. Turing and Wang’s analysis indicates that the malware not only supports operations such as uploading and downloading files but also facilitates command execution through the command line interface.

Additionally, the xdr33 malware integrates a Trigger module, designed to monitor network communications for a specific “trigger” packet. This enables it to extract the C2 server from the IP packet’s payload, establish a connection, and await command instructions sent from the C2. Researchers emphasize that communication methodologies differ significantly between the Trigger and Beacon modes, indicating a complex architecture aimed at maintaining persistence and obfuscation.

Importantly, after an SSL tunnel is established, the bot and Trigger C2 employ a Diffie-Hellman key exchange to generate a shared key, which is then utilized to implement AES encryption for an additional security layer.

This recent emergence reinforces the necessity for robust cybersecurity measures, particularly for entities utilizing F5 appliances. Keeping systems updated and monitoring network traffic rigorously is essential in mitigating the risks posed by sophisticated threats such as xdr33. As this landscape continues to evolve, staying vigilant and informed is paramount.