In 2017, a group calling themselves ShadowBrokers published many leaks containing information and tools from the NSA. Among the leaks was one titled “Lost in Translation.” Part of this leak was a script used to search for indications of other APT groups that may be on a compromised machine and, in 2018, Kaspersky was able to identify a group they are calling DarkUniverse as a target of one of these searches. The group appears to have been active from as far back as 2009 until 2017. From the earliest known samples to the most recently found samples, Kaspersky is claiming that the malware was under such active development that the last known releases are completely different from the original.
DarkUniverse used spear-phishing attempts to infect their victims. On top of preparing each Microsoft Office document specifically for each victim, the malware also appeared to be compiled immediately before being sent. This guaranteed that each victim would be running the most up-to-date version of the malware. Each document contained an embedded executable file that would extract two more files to %APPDATA%\Microsoft\Reorder. After extracting the files, the executable would then copy the legitimate rundll32.exe to the same directory and run one of the files.
DarkUniverse provided persistence on the machine by placing a shortcut file in the startup folder to guarantee execution after a reboot. If something happens to this file, the malware will attempt to restore this shortcut.
For communication, cloud storage provider mydrive.ch seemed to be the most common approach. Each victim had an account created for them with additional modules and a configuration file containing commands to be run. Once downloaded, the configuration file is saved to the registry at SOFTWARE\AppDataLow\GUI\LegacyP. Credentials for these personalized cloud storage accounts could be found saved in this registry location and hardcoded in one of the files extracted to %APPDATA%\Microsoft\Reorder.
One of the plugins that could be downloaded was used for stealing mail credentials and emails. It tries to intercept unencrypted POP3 traffic from numerous processes like Outlook or Mozilla Thunderbird before sending it back to the main module for parsing and uploading to the C2.
The other module downloaded from the C2 has an impressive amount of commands that can be run. Kaspersky has identified over 30 unique commands. Some (but not all) of these include the ability to inject shellcode for connecting to the C2 into Internet Explorer, the same shellcode can also be injected into the LSASS.exe process, scanning the network, collecting system info, run a specific process, split files in 400KB chunks for uploading, and provide basic man-in-the-middle attacks.