In the recent attacks, the hackers used a new set of malicious payloads, including a backdoor written in a new language.
The Fancy Bear APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
“On August 20
“As predicted by other fellow researchers, the Sednit group added a new development language in their toolset, more precisely for their downloader: the Nim language. However, their developers were also busy improving their Golang downloader, as well as rewriting their backdoor from Delphi into Golang.”
The threat actors used phishing messages containing a malicious attachment that launches a long chain of
The phishing messages come with an
“The wordData.dotm file contains malicious macros that then are executed.
The attacks analyzed by ESET have involved several
In August, threat actors also used for the first time a new backdoor written in Golang, the malware has many similarities with the Delphi
Experts pointed out that six modules are fetched in the attack chain before the final
“It seems that the Sednit group is porting the original code to, or reimplementing it in, other languages in the hope of evading detection,” ESET concludes. “It’s probably easier that way and it means they do not need to change their entire TTPs [Tactics, Techniques and Procedures]. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group.”
(SecurityAffairs – APT, hacking)