Back in May, the WannaCry ransomware decimated millions of Windows PC around the world. Later, a similar worm – dubbed EternalRocks – compromised a load more Windows machines. Hacker group ShadowBrokers released WannaCry and EternalRocks – both stolen NSA hacking tools – promising more to come. Now, it seems ShadowBrokers are true to their word. The group unveiled a fresh NSA hacking tool: a Trojan known as UNITEDRAKE. UNITEDRAKE is able to compromise Windows systems from XP to Windows Server 2012, and pretty much every version in-between.
What is UNITEDRAKE?
Edward Snowden first revealed the existence of UNITEDRAKE, thanks to the NSA documents he leaked in 2013. The Trojan is able to remotely target a wide array of Windows machines. Specifically, vulnerable Windows versions include XP, Server 2003, Server 2008, Vista, 7 SP1, 8, and Server 2012. The malware can spy on communications, including microphone and webcam usage, plus record keystrokes. Afterwards, UNITEDRAKE self-destructs upon completion of its tasks.
ShadowBrokers released the UNITEDRAKE manual [PDF] over the last few days. ShadowBrokers describes UNITEDRAKE thusly (via Schneier on Security):
“Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information.
UNITEDRAKE, described as a “fully extensible remote collection system designed for Windows targets,” also gives operators the opportunity to take complete control of a device.
The malware’s modules — including FOGGYBOTTOM and GROK — can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed.”
In The Wild?
Kaspersky Labs found evidence of UNITEDRAKE in the wild two years ago, presumably being used by its creator, the NSA. In fact, Kaspersky mentions the Equation Group, an entity assumed to be an NSA operator:
“The capabilities of several tools in the catalog identified by the codenames UNITEDRAKE, STRAITBAZZARE, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE (United Rake). Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventionsthey include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.”
However, ShadowBrokers only released the UNITEDRAKE manual thus far, not the Trojan itself. The manual, though, serves as a brochure for potential buyers. Should a malicious party purchase UNITEDRAKE, the malware will surely wreak havoc.
