A malware variant uploaded by U.S. Cyber Command to VirusTotal last week is still being used in active attacks, which have been linked by cybersecurity researchers to APT28 - a hacking group, which is believed to be responsible for the breach of the Democratic National Committee's computer network during the 2016 election cycle.
According to CyberScoop, researchers from Kaspersky Lab and ZoneAlarm detected the malware attacks, targeting Central Asian nations, as well as diplomatic and foreign affairs organizations. Although ZoneAlarm can’t confirm the targets the attack is focused on, the company detected the specific malware hash in an active attack in the Czech Republic last week, said ZoneAlarm’s Threat Intelligence Group Manager Lotem Finkelsteen. The researchers believe that APT28 is conducting several attacks simultaneously.
While Kaspersky Lab’s Kurt Baumgartner didn’t provide the information on when APT28 (also known as Sofacy or Fancy Bear) first started using the malware, he said that the module was compiled last July.
Cyber Command, which shared the malware sample as part of its effort to boost information sharing, did not reveal when this particular malware sample was discovered and didn’t attribute it to any group.
The researchers say that the malware resembles XTunnel, a tool that APT28 used in attacks on DNC in 2016, but also has a few components in common with SPLM/XAgent. This variant differs from the previous XTunnel versions, since it’s code has “very few similarities to the previous code” and has a pretty large size (over 3 MB). As Baumgartner explained, for a couple of years APT28 had minimized their XTunnel code to a very small size (roughly under 25kb), so it is unusual for the group to push such large executables.
