Political targets at risk as Fancy Bear returns with refreshed backdoor malware

The threat group’s attack chain is now even heavier with a string of malicious payloads.

A scanner app with 100 million downloads starts to deliver malware An Android Google play app, available since 2010, has recently started installing malware.

A recent attack campaign launched by Fancy Bear has revealed an updated set of tools including a backdoor written in a new language.  

Fancy Bear, also known as APT28, Sednit, Sofacy, and Strontium, is an advanced persistent threat (APT) group which has been connected to an array of politically-motivated attacks

Previous victims of the APT include the US Democratic National Committee (DNC), the World Anti-Doping Agency (WADA), the Ukranian military, the Association of Athletics Federations (IAAF), and various government entities

Believed to be Russian and in operation since at least 2004, Fancy Bear is constantly developing and changing its weapons arsenal, including a variety of malware payloads such as Trojans and UEFI rootkits

See also: Cyber security 101: Protect your privacy from hackers, spies, and the government

The cyberattackers may also have connections to Earworm, another politically-motivated group, given their use of shared command-and-control (C2) servers. 

A new Fancy Bear campaign has been discovered by ESET. Launched at victims on the usual hit-list -- including Ministries of Foreign Affairs and embassies across Europe and Asia -- and tracked in August, the group is making use of phishing emails tied with heavy malicious payloads as well as a new backdoor system. 

A new programming language has been added, Nim, that was designed to bring together aspects of Python, Ada, and Modula.

Nim compilers, to C, C++, or JavaScript, and its executables are supported by all major platforms including Microsoft Windows, Linux, and macOS, and it is in this language in which one of the malware's downloaders has been written.

CNET: Amazon looks to expand Alexa's world amid growing privacy concerns

The phishing email contains a Word attachment that is blank but references a Dropbox-hosted remote template, wordData.dotm. The template has embedded malicious macros which execute lmss.exe, the new Nim downloader for the Zebrocy Trojan. 

A dormant AutoIt executable is also hidden in the document that used to act as the downloader, but its presence is considered nothing more than a mistake and oversight given its inactive status. 

Another downloader is fetched by the Nim module. This payload is written in Golang and is based on past Delphi code.

In total, six malicious modules are fetched in the attack chain before the final deployment of a Golang backdoor. The attackers will use these components to harvest basic machine information for transfer to their C2, as well as take screenshots every 35 seconds during the first few minutes of infection, conduct surveillance, and grab additional payloads and commands from the C2. 

TechRepublic: Governments still struggling to contend with weaponized social media platforms

The cybersecurity researchers say this is the first time the Goland backdoor has been seen in campaigns. While it does not appear to have any persistence elements beyond the means for attackers to manually set it by scheduling tasks under Windows\Software\OSDebug, this module alone is able to create, modify, and delete files, enumerate drives, screenshot, and execute commands via cmd.exe. 

"It seems that the Sednit group is porting the original code to, or reimplementing it in, other languages in the hope of evading detection," ESET says. "It's probably easier that way and it means they do not need to change their entire TTPs [Tactics, Techniques and Procedures]. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group."


Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0