Skip to content ↓ | Skip to navigation ↓

Last month, Microsoft released a report on the advanced threat group Fancy Bear.

This alert, as noted by security blogger Graham Cluely, explains how the group—otherwise known as “Sofacy,” “Sednit,” “STRONTIUM,” and “APT 28″—stalks mailing lists, social media sites, and public forums in search of potential victims from whom it can steal login credentials. Here Fancy Bear makes use of spear phishing techniques, a form of attack that relies on a lack of awareness among targets, to get what it wants.

Spear phishing is a significant concern for enterprises, and one can only hope that organizations everywhere interpret Microsoft’s report as an impetus to reduce their attack surfaces and implement some security awareness training among their staff.

But that’s not the end of the story for Fancy Bear. Unfortunately, phishing emails are just the tip of the iceberg of what this particular advanced threat group is capable.

The story dates back to 2008 when Fancy Bear began targeting military and government entities worldwide, especially those connected to the North Atlantic Treaty Organization (NATO). In the years that followed, the group upped the ante by developing its first stage malware in 2011-12 and by expanding its arsenal to include a series of backdoors, including AZZY (aka “ADVSTORESHELL,” “NETUI,” and “EVILTOSS”), in 2013.

With 2016 now before us, it would appear that the group has once again expanded its activity.

“Earlier this year, we noticed a new release of the AZZY implant which, at the time, was largely undetected by anti-malware products,” writes Kaspersky Lab’s Global Research and Analysis Team (GReAT) on Securelist.

“We observed several waves of attacks using this version, most recently in October. The new waves of attacks also included a new generation of USB stealers deployed by the Sofacy actor, with the first versions dating back to February 2015, and which appear to be geared exclusively towards high profile targets.”

GReAT explains that in August of this year, the group leveraged all of its zero-day exploits, including one in Java, one in Flash that was disclosed in the Hacking Team leaks, and two in Office, to launch a wave of attacks that targeted a number of high profile victims using a new AZZY implant.

Unlike the “standard” x64 AZZY implant, which Kaspersky’s products successfully detected and blocked, the new implant manage to evade all but dynamic detection (via a host intrusion prevention subsystem). This backdoor was delivered not via a zero-day exploit but instead by another malware that was itself installed by an unknown attack, “AppData\Local\Microsoft\Windows\msdeltemp.dll” (md5: CE8B99DF8642C065B6AF43FDE1F786A3).

Further analysis revealed that the malware installed a separate C&C helper, (md5: 8C4D896957C36EC4ABEB07B2802268B9) as “tf394kv.dll,” which came with an external C&C communications library for all web-based communications.

“This code modification marks an unusual departure from the typical AZZY backdoors, with its C&C communication functions moved to an external DLL file,” comments GReAT. “In the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularisation follows the same line of thinking.”

Kaspersky researchers also observed in the group’s August campaign the introduction of new USB stealer modules that the attackers could use to compromise data on air-gapped networks. These features, taken together with the new AZZY implant and the six zero-day exploits, has Kurt Baumgartner, principal security researcher at Kaspersky Lab, concerned about the group’s ability to innovate quickly and to overcome better defended targets.

“This quick work is a new characteristic of their work, and this stepped up urgency is something that is unusual,” Baumgartner told SCMagazine. “In general, APT intrusions can last months or longer, and in these cases, we see Sofacy acting with unusually ramped urgency.”

As APTs like Fancy Bear become more sophisticated, GReAT recommends that customers implement a multi-tiered approach that combines anti-virus with patch management and host intrusion detection, as well as whitelisting and default-deny strategies.

A technical analysis of Fancy Bear’s summer attack campaign can be found here.