[BreachExchange] 'Fancy Bear' Hacking Group Adds New Capabilities, Targets

Destry Winant destry at riskbasedsecurity.com
Thu Sep 26 10:52:29 EDT 2019


The Russia-based cyberespionage group Fancy Bear, which has led
high-profile cyberattacks against governments and embassies over the
last several years, has launched a phishing campaign that includes a
redesigned backdoor, according to research from security firm ESET.

The campaign by Fancy Bear, also known as APT28, Sofacy, Strontium and
Tsar Team, has been active since Aug. 20. The group, affiliated with
the Russian military intelligence agency GRU, was tied to the hack of
the Democratic National Committee.

Now, Fancy Bear is mainly targeting ministries of foreign affairs and
embassies in Eastern Europe and Central Asia, the researchers say.
Investigators also found evidence of a redesigned backdoor as well as
a new downloader that the hackers created using Nim, a new type of
programming language the combines aspects of Python, Ada and Modula.

This latest campaign involves phishing emails sent to victims that
contain a malicious attachment, the researchers say. If the target
opens the attachment, downloaders are launched, ending with the
installation of the backdoor within an infected device, the report

That backdoor is written in the Golang or Go programing language -
another addition to the group's toolset, the researchers note.

Revising Tactics

ESET researchers did not reveal the name of the embassies targeted in
this latest campaign, but the report notes that the campaign remains

One reason why ESET may have detected this new backdoor now is that
Fancy Bear hackers made a decision to switch tactics and tools to
better evade security detection by the organizations that the group is
targeting. That's one reason why Fancy Bear is using tools such as the
Golang and Nim programming languages, ESET researchers say.

"While it is impossible for us to know exactly why they are doing it,
a likely explanation is to try to circumvent security solutions that
are already detecting other variants of their tools," an ESET
researcher tells Information Security Media Group. "It could also make
attribution harder as it is easier to attribute back to a group a
variation of a specific tool written in a specific language than it is
with one written in a completely new language."

Phishing Scheme

The August attacks started with a phishing email that contained an
attached Microsoft Word document, although it appeared to the victim
that this particular file is blank, according to the researchers. The
email also contains a reference to a Dropbox template that includes a
link - wordData.dotm - according to the report.

In addition to using the new programming languages to rewrite their
malicious tools, Fancy Bear's use of Dropbox to help deliver
additional code is also new, ESET says.

"The initial compromise vector stays unchanged, but using a service
like Dropbox to download a remote template is unusual for the group,"
according to the report.

If a victim clicks the link for the Dropbox template, it starts
downloading malicious macros in the background that include the
Nim-based downloader as well as a Trojan that ESET calls Zebrocy, the
report notes.

The Nim-based downloader is only one part of a six-step process of
this attack. Once all those other components are downloaded, the final
payload is delivered: The backdoor that is written in Golang, the
researchers say.

This new backdoor is similar to previous backdoors deployed by the
Fancy Bear group, but written in a different programming language. In
addition to sending data back to the command-and-control server and
using encryption to hide communications, these other shared features

File manipulation, such as creation, modification and deletion;
Screenshot capabilities;
Drive enumeration;
Command execution.
Scheduling tasks within a part of Windows that allows the attackers to
maintain persistence within an infected device.

"It seems that [Fancy Bear] is porting the original code to, or
reimplementing in, other languages in the hope of evading detection,"
the ESET report says.

Tracking Fancy Bear

Active since about 2004, Fancy Bear reportedly has ties to the Russian
government as well as the Main Intelligence Directorate for Russia's
Military, or the GRU.

The group has been tied to several high-profile attacks, including the
hacking of emails from the Democratic National Committee during the
2016 U.S. Presidential Election (see: Feds Indict 7 Russians for
Hacking and Disinformation).

In 2017, Fancy Bear allegedly attempted to sway the 2017 French
presidential election by publicizing a dump of hacked data belonging
to the staffers of then presidential-aspirant Emmanuel Macron. The
hacked data included emails, accounting documents and contracts of the
people involved in Macron's campaign movement (see: Au Revoir, Alleged
Russian 'Fancy Bear' Hackers ).

In November 2018, the group turned its attention back to the U.S. and
led a targeted attack against the Senate. According to a report by
Trend Micro, the group launched several phishing sites that mimicked
the Senate's Active Directory Federation Services to gain access
privileges to several government systems and applications (see: Fancy
Bear Targets US Senate, Security Researchers Warn).

More information about the BreachExchange mailing list