UNITEDRAKE is a RAT tool used by NSA TAO for data exfiltration and implant loading on MS targets. Includes IoC. The ShadowBrokers have promised the release of NSA exploit UNITEDRAKE which remotely targets Windows machines to subscribers.
The ShadowBrokers group of hackers has released a remote access and control tool used by the US NSA to capture information from Windows-based machines.
The existence of the UNITEDRAKE RAT first came to light in 2014 as part of a series of classified documents leaked by former NSA contractor Edward Snowden.
UNITEDRAKE is a modular malware [pdf] that runs on Microsoft Windows XP, Vista, 7, 8 and up to Windows Server 2012, with clients planted on target machines that send information to a server over the internet.
By using plugins, the malware can capture webcam and microphone output, log keystrokes, access external drives and more for surveillance purposes.
Dubbed UNITEDRAKE, the implant is a “fully extensible remote collection system” that comes with a number of “plug-ins,” enabling attackers to remotely take full control over targeted Windows computers.
Notably, the September dump also includes an unencrypted PDF file, which is a user manual for the UNITEDRAKE (United Rake) exploit developed by the NSA.
According to the leaked user manual, UNITEDRAKE is a customizable modular malware with the ability to capture webcam and microphone output, log keystrokes, access external drives and more in order to spy on its targets.
The tool consists of five components—server (a Listening Post), the system management interface (SMI), the database (to store and manage stolen information), the plug-in modules (allow the system capabilities to be extended), and the client (the implant).
New Terms for Shadow Brokers Monthly Dump Service
The Shadow Brokers is now only accepting payments in ZCash (ZEC) from its monthly subscribers, rather than Monero since it uses clear text email for delivery, and has also raised the rates for exploits, demanding nearly $4 Million.
The group demanded 100 ZEC when it started its first monthly dump service in June, but now the hackers are demanding 16,000 ZEC (which costs $3,914,080 in total) for all NSA dumps. Zcash currently trades at $248 per unit.
Those who want to gain access only to the September dump that includes the new NSA malware files need to pay hackers 500 ZEC.
The Shadow Brokers gained popularity after leaking the SMB zero-day exploit, called Eternalblue, that powered Wannacry ransomware attack that crippled large businesses and services around the world in May.
After that, the mysterious hacking group announced a monthly data dump service for those who want to get exclusive access to the NSA arsenal, which they claim to have stolen from the agency last year.