A new Fancy Bear backdoor used to target political targets

Pierluigi Paganini September 24, 2019

Security experts at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group aimed at political targets.

Security researchers at ESET have uncovered a new campaign carried out by Russia-linked Fancy Bear APT group (i.e. APT28, Sednit, Sofacy, Zebrocy, and Strontium) aimed at political targets.

In the recent attacks, the hackers used a new set of malicious payloads, including a backdoor written in a new language.

The Fancy Bear APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

“On August 20th, 2019, a new campaign was launched by the group targeting their usual victims – embassies of, and Ministries of Foreign Affairs in, Eastern European and Central Asian countries.” reads the analysis published by ESET.

“As predicted by other fellow researchers, the Sednit group added a new development language in their toolset, more precisely for their downloader: the Nim language. However, their developers were also busy improving their Golang downloader, as well as rewriting their backdoor from Delphi into Golang.”

The threat actors used phishing messages containing a malicious attachment that launches a long chain of downloaders, ending with a backdoor.

Fancy Bear
Figure 1. Chain of compromise overview – Source ESET

The phishing messages come with an attachment document that is blank and references a remote template, wordData.dotm hosted at Dropbox. Once the victim has opened the document in Word it will trigger the download wordData.dotm and incorporate it into the associated document’s working environment, including any active content the template may contain.

“The wordData.dotm file contains malicious macros that then are executed. (Depending on the Microsoft Word version, the VBA macros are disabled by default and user action is required to enable them.) It also contains an embedded ZIP archive that the macros dropped and extracted.” continues the report.

The attacks analyzed by ESET have involved several downloaders written in different languages, including a new one dubbed Nim. Nim is a statically typed compiled systems programming language. It combines successful concepts from mature languages like Python, Ada and Modula.

The downloader written in Nim is quite light in terms of its data-gathering capabilities, compared with previous Golang downloaders.

In August, threat actors also used for the first time a new backdoor written in Golang, the malware has many similarities with the Delphi beckdoors used in previous attacks.  

Experts pointed out that six modules are fetched in the attack chain before the final Golang backdoor. The malware is able to steal sensitive data from the infected machine and take screenshots every 35 seconds during the first few minutes of infection. The backdoor is also able to install additional payloads.

“It seems that the Sednit group is porting the original code to, or reimplementing it in, other languages in the hope of evading detection,” ESET concludes. “It’s probably easier that way and it means they do not need to change their entire TTPs [Tactics, Techniques and Procedures]. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment