22 May 2019

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

A malware variant uploaded by U.S. Cyber Command to VirusTotal last week is still being used in active attacks, which have been linked by cybersecurity researchers to APT28 - a hacking group, which is believed to be responsible for the breach of the Democratic National Committee's computer network during the 2016 election cycle.

According to CyberScoop, researchers from Kaspersky Lab and ZoneAlarm detected the malware attacks, targeting Central Asian nations, as well as diplomatic and foreign affairs organizations. Although ZoneAlarm can’t confirm the targets the attack is focused on, the company detected the specific malware hash in an active attack in the Czech Republic last week, said ZoneAlarm’s Threat Intelligence Group Manager Lotem Finkelsteen. The researchers believe that APT28 is conducting several attacks simultaneously.

While Kaspersky Lab’s Kurt Baumgartner didn’t provide the information on when APT28 (also known as Sofacy or Fancy Bear) first started using the malware, he said that the module was compiled last July.

Cyber Command, which shared the malware sample as part of its effort to boost information sharing, did not reveal when this particular malware sample was discovered and didn’t attribute it to any group.

The researchers say that the malware resembles XTunnel, a tool that APT28 used in attacks on DNC in 2016, but also has a few components in common with SPLM/XAgent. This variant differs from the previous XTunnel versions, since it’s code has “very few similarities to the previous code” and has a pretty large size (over 3 MB). As Baumgartner explained, for a couple of years APT28 had minimized their XTunnel code to a very small size (roughly under 25kb), so it is unusual for the group to push such large executables.

Back to the list

Latest Posts

Hackers actively exploit a recently patched vulnerability in Exim email server software

Hackers actively exploit a recently patched vulnerability in Exim email server software

Millions of Exim email servers are currently under attack.
14 June 2019
FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 hacking group reappears with updated ShellTea backdoor, targets POS devices in the hotel industry

FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect.
13 June 2019
Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Hackers weaponize critical Oracle WebLogic vulnerability in cryptojacking attacks

Trend Micro’s researchers shed light on some of the activity involving CVE-2019-2725.
11 June 2019
Featured vulnerabilities
Stored XSS in FortiWeb reports
Medium Patched | 13 Jun, 2019
Microsoft update for Adobe Flash (June 2019)
High Patched | 12 Jun, 2019