In the recent attacks, the hackers used a new set of malicious payloads, including a backdoor written in a new language.
The Fancy Bear APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
“On August 20
“As predicted by other fellow researchers, the Sednit group added a new development language in their toolset, more precisely for their downloader: the Nim language. However, their developers were also busy improving their Golang downloader, as well as rewriting their backdoor from Delphi into Golang.”
The threat actors used phishing messages containing a malicious attachment that launches a long chain of
The phishing messages come with an
“The wordData.dotm file contains malicious macros that then are executed.
The attacks analyzed by ESET have involved several
In August, threat actors also used for the first time a new backdoor written in Golang, the malware has many similarities with the Delphi
Experts pointed out that six modules are fetched in the attack chain before the final
“It seems that the Sednit group is porting the original code to, or reimplementing it in, other languages in the hope of evading detection,” ESET concludes. “It’s probably easier that way and it means they do not need to change their entire TTPs [Tactics, Techniques and Procedures]. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group.”
(SecurityAffairs – APT, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.