Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/23/2019
01:35 PM
50%
50%

Russian Nation-State Hacking Unit's Tools Get More Fancy

APT28/Fancy Bear has expanded its repertoire to more than 30 commands for infecting systems, executing code, and reconnaissance, researchers have found.

Zebrocy malware - widely considered to be part of the the infamous APT28/Fancy Bear Russian cyber-espionage group's toolset - now has more than 30 commands for reconnoitering compromised systems and spreading across networks.

Researchers from security firm ESET this week published new findings on the attack tool, which improves upon the older Sofacy backdoor, and combines downloaders and remote administration tools to allow attackers to control compromised systems. Both programs have been linked to the Russian cyber-espionage group that has been blamed for cyberattacks on the nation of Georgia prior to Russia's 2008 invasion and for stealing e-mail and data from the US Democratic National Committee prior to the 2016 presidential election. 

ESET used telemetry generated by systems using its security agent to observe the initial Zebrocy infection via spearphishing attacks and subsequent commands, the company stated in an analysis

"We were able to monitor the way they use the Zebrocy malware after they infected their target, including all the interactions they had with the infected systems, and gain some intelligence," says Alexis Dorais-Joncas, security intelligence team lead for ESET. "It is an updated modus operandi used by the group in the way ... they perform their initial infection."

The research sheds light on a tool that has become a major part of the operations of a long-running cyber espionage group. While ESET does not  explicitly attribute the attacks to Fancy Bear, analyses by other companies, such as the ATT&CK entry from MITRE, have explicitly connected the use of the tool to the group.

Earlier this year, security firm Kaspersky Lab noted that Zebrocy, once a component of the Sofacy backdoor package in 2015, had rapidly become a popular tool, especially for use against government systems in Central Asia.

"Zebrocy continues to maintain a higher level of volume attacking local and remote ex-USSR republic Central Asian targets than other clusters of targeted Sofacy activity," Kaspersky Lab concluded in its analysis. "Also interesting with this Sofacy sub-group is the innovation that we continue to see within their malware development."

ESET's research, meanwhile, highlights the rapidity with which the group behind Zebrocy has innovated with its tools and techniques. APT28/Fancy Bear is one of the original Russian cyber-operations groups tracked by security firms and government intelligence. Known also as Sofacy, STRONTIUM, and the Sednit group—ESET's preferred name—the group has actively developed its toolbox of hacking programs.

In 2018, for example, ESET discovered that the Sednit group had successfully deployed a Unified Extensible Firmware Interface (UEFI) rootkit, dubbed LoJax, which infects the basic hardware operating system and can survive rebooting the system.

"Three years ago, the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia," ESET wrote in its analysis. "Since then, the number and diversity of components has increased drastically."

The group has mainly targeted embassies, ministries, and diplomats in Azerbaijan, Bosnia and Herzegovina, Egypt, Georgia, Iran, Kazakhstan, Korea, Kyrgyzstan, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay and Zimbabwe, according to ESET.

How it Works

Zebrocy consists of two downloaders, one written in the Delphi scripting language and another in the AutoIt scripting language. Only one of the two downloaders need to run to install a backdoor—the third Zebrocy component—onto a targeted system.

Once installed, the operators would quickly perform reconnaissance on the system and gather operating system and file information, as well as other details about the system.

"The operators would quickly perform a reconnaissance phase to understand the kind of target that they just managed to infect," says Dorais-Joncas. "They get information like the operating system, even some screenshots from the infected machines, get some networking information, IT configuration, and things like that." 

In some cases, the first downloader installed another component whose purpose is currently being studied, according to ESET. "The very short timeframe where this backdoor is on the system and operating makes it harder to retrieve," the company said. "Once its operators complete their evil deeds, they quickly remove it."

Finally, because the commands issued after the initial installation are the same and executed very quickly, ESET suggested that they might be automated, rather than waiting for a member of the Sednit group to manually attack the system.

"They are gathering a considerable amount of information on the compromised target and they are not worried about duplicated data," the report stated. "It shows a large gap between the development strategy and what operators do in practice. Backdoors with custom configuration and modules are deployed very carefully, which indicates some precautions to avoid ending up in the hands of researchers."

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15504
PUBLISHED: 2020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other version...
CVE-2020-8190
PUBLISHED: 2020-07-10
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
CVE-2020-8191
PUBLISHED: 2020-07-10
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).
CVE-2020-8193
PUBLISHED: 2020-07-10
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.
CVE-2020-8194
PUBLISHED: 2020-07-10
Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.