U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

A new Fancy Bear backdoor used to target political targets

Security experts at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group aimed at political targets. Security researchers at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group (i.e. APT28, Sednit, Sofacy, Zebrocy, and Strontium) aimed at political targets. In the recent attacks, the hackers […]

Fancy Bear

Figure 1. Chain of compromise overview – Source ESET

Security experts at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group aimed at political targets.

Security researchers at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group (i.e. APT28, Sednit, Sofacy, Zebrocy, and Strontium) aimed at political targets.

In the recent attacks, the hackers used a new set of malicious payloads, including a backdoor written in a new language.

The Fancy Bear APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

“On August 20th, 2019, a new campaign was launched by the group targeting their usual victims – embassies of, and Ministries of Foreign Affairs in, Eastern European and Central Asian countries.” reads the analysis published by ESET.

“As predicted by other fellow researchers, the Sednit group added a new development language in their toolset, more precisely for their downloader: the Nim language. However, their developers were also busy improving their Golang downloader, as well as rewriting their backdoor from Delphi into Golang.”

The threat actors used phishing messages containing a malicious attachment that launches a long chain of downloaders, ending with a backdoor.

Fancy Bear
Figure 1. Chain of compromise overview – Source ESET

The phishing messages come with an attachment document that is blank and references a remote template, wordData.dotm hosted at Dropbox. Once the victim has opened the document in Word it will trigger the download wordData.dotm and incorporate it into the associated document’s working environment, including any active content the template may contain.

“The wordData.dotm file contains malicious macros that then are executed. (Depending on the Microsoft Word version, the VBA macros are disabled by default and user action is required to enable them.) It also contains an embedded ZIP archive that the macros dropped and extracted.” continues the report.

The attacks analyzed by ESET have involved several downloaders written in different languages, including a new one dubbed Nim. Nim is a statically typed compiled systems programming language. It combines successful concepts from mature languages like Python, Ada and Modula.

The downloader written in Nim is quite light in terms of its data-gathering capabilities, compared with previous Golang downloaders.

In August, threat actors also used for the first time a new backdoor written in Golang, the malware has many similarities with the Delphi beckdoors used in previous attacks.  

Experts pointed out that six modules are fetched in the attack chain before the final Golang backdoor. The malware is able to steal sensitive data from the infected machine and take screenshots every 35 seconds during the first few minutes of infection. The backdoor is also able to install additional payloads.

“It seems that the Sednit group is porting the original code to, or reimplementing it in, other languages in the hope of evading detection,” ESET concludes. “It’s probably easier that way and it means they do not need to change their entire TTPs [Tactics, Techniques and Procedures]. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]