A wild Hive-derived backdoor xdr33 was captured in the wild, repurposing CIA’s Hive project source with embedded BEACON and Trigger modules to steal sensitive data and establish footholds. The malware uses mutual TLS with client certificates, encrypts device info for C2 reporting, and features beaconing plus trigger-based command execution. #Hive #xdr33 #CIA #Kaspersky #F5_Vulnerability
Keypoints
- Researchers observed a Hive-based backdoor variant named xdr33, derived from CIA Hive project code.
- The payload collects system information (PID, MAC, uptime, network details) and reports it to a hardcoded C2 after compressing with bzip and encrypting with XTEA.
- Communication uses mutual SSL with hardcoded/C2 certificates masquerading as Kaspersky-related certificates to reduce suspicion.
- Two main tasks exist: Beacon (periodic data collection and C2 commands) and Trigger (monitor NIC traffic for special messages to contact a Trigger C2).
- Trigger traffic is validated via CRC checks, then decrypts a Trigger Payload to contact a Trigger C2 and execute distributed commands.
- New updates in xdr33 include additional CC instructions, restructured data formats, and an expanded set of Trigger/Beacon features compared to prior Hive code.
MITRE Techniques
- [T1071.001] Web Protocols – C2 over HTTPS with mutual TLS for authentication and disguised certificates (e.g., “Step1: Mutual SSL authentication”).
- [T1027] Obfuscated/Compressed Files and Information – Device info is compressed with bzip and encrypted with XTEA before reporting to C2 (“使用bzip,XTEA算法对设备信息进行压缩,加密”).
- [T1040] Network Sniffing – Trigger monitors NIC traffic to identify hidden Trigger C2 messages (“监听网卡流量以识别暗藏Trigger C2的特定报文”).
- [T1059] Command and Scripting Interpreter – Beacons/commands include executing CMD with a fake process name (e.g., “Execute CMD with fake name ‘[kworker/3:1-events]’”).
- [T1105] Ingress Tool Transfer – Beacon/Trigger flow includes downloading and uploading files (e.g., “Download File” and “Upload File”).
- [T1036] Masquerading – Bot/C2 certificates masquerade as related to Kaspersky to reduce suspicion (“伪装成与kaspersky有关”).
- [T1090] Proxy – Use of Socket5 Proxy for C2 communications to obscure origin/traffic.
Indicators of Compromise
- [IP] 45.9.150.144 – C2 server used in beacon communication (C2 over TLS on port 443).
- [MD5] ee07a74d12c0bb3594965b51d0e45b6f – Payload sample MD5 (ELF 32-bit x86).
- [MD5] ad40060753bc3a1d6f380a5054c1403a – Payload-related hash mentioned in the article.
- [File] /command/bin/hlogd – Next-stage sample disguised as this file path.
- [Certificate] CN=xdr33 – Bot certificate common name used in mutual TLS setup.
- [Port] 443 – TLS port used for C2 TLS channel.
Read more: https://blog.netlab.360.com/warning-hive-variant-xdr33-is-coming_cn/