22 May 2019

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

A malware variant uploaded by U.S. Cyber Command to VirusTotal last week is still being used in active attacks, which have been linked by cybersecurity researchers to APT28 - a hacking group, which is believed to be responsible for the breach of the Democratic National Committee's computer network during the 2016 election cycle.

According to CyberScoop, researchers from Kaspersky Lab and ZoneAlarm detected the malware attacks, targeting Central Asian nations, as well as diplomatic and foreign affairs organizations. Although ZoneAlarm can’t confirm the targets the attack is focused on, the company detected the specific malware hash in an active attack in the Czech Republic last week, said ZoneAlarm’s Threat Intelligence Group Manager Lotem Finkelsteen. The researchers believe that APT28 is conducting several attacks simultaneously.

While Kaspersky Lab’s Kurt Baumgartner didn’t provide the information on when APT28 (also known as Sofacy or Fancy Bear) first started using the malware, he said that the module was compiled last July.

Cyber Command, which shared the malware sample as part of its effort to boost information sharing, did not reveal when this particular malware sample was discovered and didn’t attribute it to any group.

The researchers say that the malware resembles XTunnel, a tool that APT28 used in attacks on DNC in 2016, but also has a few components in common with SPLM/XAgent. This variant differs from the previous XTunnel versions, since it’s code has “very few similarities to the previous code” and has a pretty large size (over 3 MB). As Baumgartner explained, for a couple of years APT28 had minimized their XTunnel code to a very small size (roughly under 25kb), so it is unusual for the group to push such large executables.

Back to the list

Latest Posts

Multiple foreign ministries and think tanks targeted in suspected North Korean cyber espionage campaign

Multiple foreign ministries and think tanks targeted in suspected North Korean cyber espionage campaign

The command and control server and IP address used in the new phishing campaign were previously observed in the Kimsuky campaign ties to North Korea.
23 August 2019
New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Featured vulnerabilities
Multiple vulnerabilities in OpenPGP.js
Medium Patched | 23 Aug, 2019
Multiple vulnerabilities in Apache HTTP Server
Medium Patched | 23 Aug, 2019
Improper access control in Smart TV Box
Medium Patched | 23 Aug, 2019