22 May 2019

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack


Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

A malware variant uploaded by U.S. Cyber Command to VirusTotal last week is still being used in active attacks, which have been linked by cybersecurity researchers to APT28 - a hacking group, which is believed to be responsible for the breach of the Democratic National Committee's computer network during the 2016 election cycle.

According to CyberScoop, researchers from Kaspersky Lab and ZoneAlarm detected the malware attacks, targeting Central Asian nations, as well as diplomatic and foreign affairs organizations. Although ZoneAlarm can’t confirm the targets the attack is focused on, the company detected the specific malware hash in an active attack in the Czech Republic last week, said ZoneAlarm’s Threat Intelligence Group Manager Lotem Finkelsteen. The researchers believe that APT28 is conducting several attacks simultaneously.

While Kaspersky Lab’s Kurt Baumgartner didn’t provide the information on when APT28 (also known as Sofacy or Fancy Bear) first started using the malware, he said that the module was compiled last July.

Cyber Command, which shared the malware sample as part of its effort to boost information sharing, did not reveal when this particular malware sample was discovered and didn’t attribute it to any group.

The researchers say that the malware resembles XTunnel, a tool that APT28 used in attacks on DNC in 2016, but also has a few components in common with SPLM/XAgent. This variant differs from the previous XTunnel versions, since it’s code has “very few similarities to the previous code” and has a pretty large size (over 3 MB). As Baumgartner explained, for a couple of years APT28 had minimized their XTunnel code to a very small size (roughly under 25kb), so it is unusual for the group to push such large executables.

Back to the list

Latest Posts

Morocco-based cybercriminals hack large retailers for gift card theft

Morocco-based cybercriminals hack large retailers for gift card theft

Microsoft reported a 30% increase in Storm-0539 intrusion activity between March and May 2024.
27 May 2024
Transparent Tribe APT targets Indian gov’t and defense sectors with cross-platform malware

Transparent Tribe APT targets Indian gov’t and defense sectors with cross-platform malware

Recent campaigns have seen the group using cross-platform programming languages such as Python, Go, and Rust.
27 May 2024
MITRE hackers created rogue VMs to evade detection

MITRE hackers created rogue VMs to evade detection

MITRE has concluded its internal cyberattack investigation.
27 May 2024