Threat Hunting

The ShadowBrokers Released UNITEDRAKE

Sep 7, 2017

The infamous shadow brokers are back with their promised TheShadowBrokers Dump Service – September 2017 and released UNITEDRAKE, the implant is a “fully extensible remote collection system” that comes with a number of “plug-ins,” enabling attackers to remotely take full control over targeted Windows computers.

UNITEDRAKE-Collective Intelligence

UNITEDRAKE is a modular malware described as a “fully extensible remote collection system designed for Windows targets.”

Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information, with clients planted on target machines that send information to a server over the internet.

The existence of UNITEDRAKE first came to light in 2013 as part of a series of classified NSA documents leaked by Edward Snowden and in a catalog of NSA hacking tools leaked by a second source, which revealed it was used by the NSA alongside other pieces of malware to infect millions of computers around the world.

By using “plugins”, UNITEDRAKE can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed.

UNITEDRAKE-Collective Intelligence
Collective Intelligence
UNITEDRAKE-Collective Intelligence
Collective Intelligence

The Snowden documents suggested the agency used the tool alongside other pieces of malware, including CAPTIVATEDAUDIENCE, GUMFISH, FOGGYBOTTOM, GROK, and SALVAGERABBIT, to infect millions of computers around the world.

  • CAPTIVATEDAUDIENCE is for recording conversations via the infected computer’s microphone
  • GUMFISH is for covertly taking control over a computer’s webcam and snap photographs
  • FOGGYBOTTOM for exfiltrating Internet data like browsing histories, login details and passwords
  • GROK is a Keylogger Trojan for capturing keystrokes.
  • SALVAGERABBIT is for accessing data on removable flash drives that connect to the infected computer.

Targeted machines include:

  • Windows XP
  • Windows Server 2003
  • Windows Server 2008
  • Windows Vista
  • Windows 7 SP 1
  • Windows 8
  • Windows Server 2012

Related Post

Threat Hunting

APT Group Trend – July 2023

Sep 16, 2023 C0r0k0
Collective Intelligence Threat Hunting Zero Day Attack Surfaces

Threat Hunting and Testing for CVE-2020-0601 – PoC – Windows CryptoAPI Spoofing Vulnerability

Jan 16, 2020 C0r0k0
Threat Hunting

CALDERA – Automated Adversary Emulation System

Mar 23, 2018 C0r0k0

You missed

Threat Intelligence Report

Ransomware Attacks-August 2024 updates

September 1, 2024 C0r0k0
Threat Intelligence Report

Threat Intelligence Report – July: 2nd Week

July 15, 2024 C0r0k0
Threat Intelligence Report

Threat Intelligence Report – July: 1st Week

July 8, 2024 C0r0k0
Threat Intelligence Report

Weekly Trend Analysis- June 2nd Week 2024

June 18, 2024 C0r0k0