Qihoo Netlab 360 researchers have discovered the active distribution of a novel backdoor based on the Central Intelligence Agency's Hive multi-platform malware suite, according to The Hacker News.
Threat actors have been leveraging an unspecified F5 appliance vulnerability to facilitate the deployment of the malware, dubbed "xdr33," which seeks to enable sensitive data harvesting and future intrusions, the report showed. Aside from functioning as a Beacon through periodic system metadata exfiltration, the malware also allows arbitrary file uploads and downloads, as well as command execution and shell deployment. The report also showed that the malware's Trigger module could allow network traffic spying for certain trigger packets.
"It is worth noting that Trigger C2 differs from Beacon C2 in the details of communication; after establishing an SSL tunnel, [the] bot and Trigger C2 use a Diffie-Helllman key exchange to establish a shared key, which is used in the AES algorithm to create a second layer of encryption," said researchers.
