Notorious Fancy Bear hacker group has launched a new spearfishing campaign that uses updated set of tools including a backdoor written in a new language to compromise victims. Fancy Bear (aka APT28, Sednit, Sofacy, and Strontium) is an advanced persistent threat (APT) group which has been active since at least 2004 and frequently made the headlines for its politically motivated campaigns, including the attacks against the US Democratic National Committee (DNC), the World Anti-Doping Agency (WADA), and other government organizations.
The most resent campaign which has been observed by Slovakian cybersecurity company ESET has been aimed at the usual array of Fancy Bear’s targets, in this case - embassies of, and Ministries of Foreign Affairs in Eastern European and Central Asian countries. This campaign demonstrated several changes in the APT’s approach, including an improved downloader written in the Nim language, and a backdoor rewritten in from Delphi into Golang.
“Sednit’s previous Golang downloaders have been described in detail by other researchers and it seems that Sednit’s developers have rewritten their previous Delphi downloader in Golang. Those earlier downloaders gather a lot of information about the victim computer and send it to their C&C server. However, this new one is quite light in terms of its data-gathering capabilities,” the researchers wrote in a blog post.
This latest campaign started with a phishing email containing a malicious attachment that launches a long chain of downloaders, ending with a backdoor. The hackers haven’t been too stealthy in their attempts to compromise target organizations - the victim had at least six malicious components dropped on the computer before the final payload is executed, the researchers said.
The phishing email contains a Word attachment that is blank but references a Dropbox-hosted remote template, wordData.dotm. In turn, the template contains malicious macros which execute lmss.exe, the new Nim downloader for the Zebrocy trojan. There is also an AutoIt downloader embedded in the document, and while it was used in the previous campaigns by Fancy Bear group, in this case the downloader lies dormant suggesting that the hackers simply forgot to remove it.
As for the new backdoor, it has various capabilities that were also previously seen in Zebrocy’s Delphi backdoor:
-
file manipulation such as creation, modification, and deletion
-
screenshot capabilities
-
drive enumeration
-
command execution (via cmd.exe)
-
schedule a task under the following name Windows\Software\OSDebug (which the operators could use to set persistence manually)
“It seems that the Sednit group are porting the original code to, or reimplementing it in, other languages in the hope of evading detection. It’s probably easier that way and it means they do not need to change their entire TTPs. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group,” the ESET team concluded.
