[BreachExchange] Russian Hackers Use New 'SkinnyBoy' Malware in Attacks on Military, Government Orgs

[Sophia Kingsbury]

https://www.securityweek.com/russian-hackers-use-new-skinnyboy-malware-attacks-military-government-orgs

The Russia-linked threat group known as APT28 has been observed using a new
backdoor in a series of attacks targeting military and government
institutions, researchers with threat intelligence company Cluster25 reveal.

Active since at least 2007 and also tracked as Fancy Bear, Pawn Storm,
Sednit, Strontium, and Tsar Team, APT28 is well known for its
cyber-espionage operations targeting the 2016 Presidential elections in the
United States, but is also associated with attacks on NATO countries and
with activities against organizations in the energy and transportation
sectors.

APT28, which is believed to be a military unit of Russia’s General Staff
Main Intelligence Directorate (GRU) 85th Main Special Service Center
(GTsSS), mainly focuses on the military, government, and diplomatic
sectors, and the newly detailed campaign is no different.

For initial access, the threat actor is known to use tactics such as
watering hole attacks, social engineering, zero-day vulnerabilities, and
stolen credentials, followed by the deployment of tools and malware that
allow it to achieve persistence and gain access to information of interest.

While the tactics observed in this campaign were no different from previous
attacks, what stood out was the use of a new backdoor that Cluster25’s
researchers have dubbed SkinnyBoy. The implant is fully operational and
functional, but lacks the sophistication expected from a nation-state tool,
likely in an effort to hinder attribution.

“With great probability, considering the group's capabilities, the tactic
of significantly lowering these levels becomes functional with an attempt
to make any attribution effort more complex,” Cluster25 researchers note.

In another attempt to hide their tracks, the adversary employed commercial
VPN services to purchase and manage the infrastructure used in this
campaign.

The attacks would start with spear-phishing emails delivering a Word
document carrying malicious macros that extract a DLL designed to fetch the
SkinnyBoy dropper, which achieves persistence and downloads all the
components for the next stage.

To evade detection, the dropper does not execute the downloaded payloads.
Instead, it creates the persistence mechanism necessary to execute them
later: a LNK file is placed in the Windows Startup folder. When executed,
the payload acts as the backdoor’s launcher.

The SkinnyBoy implant was designed to exfiltrate information from the
infected system, as well as to fetch and run directly in memory the final
payload, “which probably exhibits typical backdoor behaviors,” Cluster25
notes.

“After a period of observation of the described threat and an in-depth
analysis of the identified victimology, Cluster25 team attributes the
SkinnyBoy implant and the related attack to Russian group known as
APT28/FancyBear with a mid-to-high confidence,” the researchers conclude.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210607/345022a5/attachment.html>