Stefan Mileschin

Working out the outfits strange moves

Boffins at the ESET R&D centre in Montreal have just published findings on their latest investigation into the infamous Sednit Group.

For several years, the Advanced Persistent Threat (APT) group Sednit - also known as APT28, Fancy Bear, Sofacy or STRONTIUM - has been attacking targets in Europe, Central Asia and the Middle East. Since then, the number and diversity of component tools have increased drastically. As part of this discovery, ESET looked at Sednit’s backdoor Zebrocy, the capabilities of which have now expanded, thanks to the ability to issue more than 30 different commands to compromised computers and gathered considerable amounts of information about the target.

Zebrocy is quick to do its job. Once the backdoor sends information about its newly compromised system, the operators take control of the backdoor and start to send commands right away. Hence, the time between the victim running the downloader and the operators' first commands spans only a few minutes.

At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.

Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET R&D centre in Montreal, said that it was unusual for the group to use this technique to deliver one of its malware components directly.

“Previously, it had used exploits to deliver and execute the first-stage malware, while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain”, he said.

ESET has recorded at least 20 clicks on the malicious link. However, the overall number of victims is impossible to estimate.

https://fudzilla.com/news/48739-eset...out-fancy-bear