APT

Russia-linked Sofacy APT group adopts new tactics and tools in last campaign

Sofacy APT group (APT28, Pawn Storm, Fancy Bear, Sednit, Tsar Team, and Strontium) continues to operate and thanks to rapid and continuously changes of tactics the hackers are able to remain under the radar.

According to experts from Palo Alto Networks, the hackers also used new tools in recent attacks, recently the APT group has shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

Back to the present, the Sofacy APT group is using a new version of the Zebrocy backdoor written in a C++, attackers adopted the Dynamic Data Exchange (DDE) attack technique to deliver malware.

The DDE attack technique was exploited to deliver payloads such as the Zebrocy backdoor and the open-source penetration testing toolkit Koadic.

This is the first time that the Russian APT uses the Koadic tool.

“Following up our most recent Sofacy research in February and March of 2018, we have found a new campaign that uses a lesser known tool widely attributed to the Sofacy group called Zebrocy. Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments.” reads the analysis published by Palo Alto Networks.

“This third campaign is consistent with two previously reported attack campaigns in terms of targeting: the targets were government organizations dealing with foreign affairs. In this case however the targets were in different geopolitical regions.”

Palo Alto noticed a change in the tactics used by the hackers, instead of targeting a handful of employees within an organization, they sent phishing messages to “an exponentially larger number of individuals” within the same organization.

Attackers obtained the list of individuals’ emails with simple queries to search engines, this method is also a novelty for the Sofacy APT group.

The researchers linked this campaign to previous attacks, in February Palo Alto Networks reported the Sofacy APT group was hiding infrastructure using random registrant and service provider information in each attack.

“In our February report, we discovered the Sofacy group using Microsoft Office documents with malicious macros to deliver the SofacyCarberp payload to multiple government entities.” continues Palo Alto.

“In that report, we documented our observation that the Sofacy group appeared to use conventional obfuscation techniques to mask their infrastructure attribution by using random registrant and service provider information for each of their attacks. In particular, we noted that the Sofacy group deployed a webpage on each of the domains.”

The investigation on this campaign allowed the experts to discover another campaign leveraging the DealersChoice exploit kit and a domain serving the Zebrocy AutoIT downloader.

The version of Zebrocy downloader delivered by this domain is the new one written in C++, the downloader was used to spread the Delphi backdoor hosted at IP address 185.25.50[.]93.

The experts discovered the following hard-coded user agent being used by many samples of Zebrocy targeting the foreign affairs ministry of a large Central Asian nation:

Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko

The experts found two weaponized Office documents implementing the DDE attack technique, the malicious files were used in attacks against a North American government organization dealing with foreign affairs.

Further details, including IoCs are reported in the analysis published by Palo Alto Networks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Sofacy APT group, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

13 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

20 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.