Russia-linked APT28 targets govt bodies with fake NATO training docs

Pierluigi Paganini September 23, 2020

Russia-linked cyberespionage group APT28 uses fake NATO training documents as bait in attacks aimed at government bodies.

The Russia-linked cyberespionage group APT28 is behind a string of attacks that targeting government bodies with Zebrocy Delphi malware. The malicious code was distributed using fake NATO training materials as bait and had a very low detection rate of 3/61 on VirusTotal.

Even today, less than half of the known antivirus engines are flagging the infection on VirusTotal, as observed by BleepingComputer:

The APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

Threat intelligence firm QuoIntelligence uncovered a campaign on Government bodies on August 9, the attacks likely started on August 5.

“On 9 August, QuoIntelligence disseminated a Warning to its government customers about a new APT28 (aka Sofacy, Sednit, Fancy Bear, STRONTIUM, etc.) campaign targeting government bodies of NATO members (or countries cooperating with NATO).” reads the report published QuoIntelligence. “In particular, we found a malicious file uploaded to VirusTotal, which ultimately drops a Zebrocy malware and communicates with a C2 in France.”

The command and control infrastructure was hosted in France, for this reason, QuoIntelligence had reported their findings to the French law enforcement agencies.

The same campaign was also reported in August by the Qi’anxin Red Raindrops.

The researchers analyzed files (Course 5 – 16 October 2020.zipx) containing the malicious code. Upon renaming the file as a JPG, they were showing the logo of the Supreme Headquarters Allied Powers Europe (SHAPE), which is the NATO’s Allied Command Operations (ACO) located in Belgium

The malicious file distributed by APT28 is titled, “Course 5 – 16 October 2020.zipx” 

APT28 NATO courses_zipx

Experts revealed the sample has a Zip file concatenated. Experts pointed out that the technique works because JPEG files are parsed from the beginning of the file while some Zip implementations parse Zip files from the end of the file ignoring the signature at the beginning.

According to QuoIntelligence researchers, the campaign targeted some NATO countries and at least one Middle Eastern country, Azerbaijan that cooperates with the North-Atlantic alliance.

After decompressing the ZIP file, the following two samples are dropped:

  • Course 5 – 16 October 2020.exe (Zebrocy malware)                                  SHA256:  aac3b1221366cf7e4421bdd555d0bc33d4b92d6f65fa58c1bb4d8474db883fec  
  •  Course 5 – 16 October 2020.xls (Corrupted file)                                               SHA256: b45dc885949d29cba06595305923a0ed8969774dae995f0ce5b947b5ab5fe185

The Excel file (XLS) is corrupted and cannot be opened by Microsoft Excel, it contains information about military personnel involved in the military mission “African Union Mission for Somalia,” but researchers were not able to determine if the information contained in the file is legitimate or not.

The Zebrocy malware employed in this campaign is a persistent backdoor that can be used by threat actors to perfor system reconnaissance and take full control of the target systems.

The Zebrocy payload (present in “Course 5 – 16 October 2020.exe”) replicates itself into “%AppData%\Roaming\Service\12345678\sqlservice.exe” and further adds a randomized 160-byte blob to the newly generated file to make harder the detection by signature-based antivirus engines.

The malicious code creates a Windows scheduled task that runs every minute and sends data in obfuscated and encrypted form to the C2 server with post requests.

“The task runs regularly and tries to POST stolen data (e.g. screenshots) to hxxp://194.32.78[.]245/protect/get-upd-id[.]PHP” continues the report.”The malware sends POST requests about once per minute without getting a response back. Additionally, the server closes the connection after waiting for about 10 more seconds. It is possible that this unresponsive behavior is due to the C2 determining the infected machine as not interesting.”

The report includes the list of Indicators of Compromise (IOCs),  IDS detection rule(s), and technical details about the campaign.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment