Hive (spyware)

2023: Start using software by hackers

On January 10, 2023, Netlabs announced that unknown attackers had created a new malware based on the Hive spy kit used by the CIA to steal certain data.

The source code of the Hive tool (not related to the ransomware group of the same name) was released by the resource WikiLeaks as part of the Vault 8 project back in November 2017. Then it was said that software the CIA disguises the malicious as products. " Kaspersky Lab As Netlabs experts now report, on October 21, 2022, a suspicious file was discovered that interacted with the management server via SSL using fake Kaspersky Lab certificates. Subsequent analysis showed that the malware was based on the spy code ON of the CIA.

Hackers began using pirated CIA spyware

The new malicious tool was named xdr33 - by the name of the built-in certificate CN = xdr33. This is a backdoor, the main task of which is to collect confidential information and form a bridgehead for subsequent hacker intrusions. It is known that xdr33 uses the XTEA or AES algorithm to encrypt traffic. The malware performs two key functions - a beacon and a trigger. The first is responsible for periodically transmitting information about the infected device to the command and control server and executing the received instructions. The trigger monitors network traffic to extract commands from attackers.

Netlabs experts note that the creators of xdr33 have modified the Hive code by adding new instructions and features. Experts tend to believe that the CIA is not related to the creation of xdr33. Most likely, this version of Hive has developed one of the cybercriminal groups for its own purposes - in particular, for data theft and subsequent attacks, for example, using ransomware.^[1]

Notes