APT28 / Fancy Bear still targeting military institutions

fancy-bearAPT28, aka Fancy Bear, the famous hacker group believed to be state-sponsored from Russia, seems to be targeting NATO partners / defense / military institutions / affairs in these hours. Spear-phishing emails with attached a malicious document referring to a “nato simulation” event (the name of the doc is “NATO Simulation.doc“), seem to be used to try to compromise some institutional entities (likely from east europe).

The hunting group involved in the analysis of this event is composed by @MD0ugh, @DrunkBinary, @r0ny_123, @Manu_De_Lucia.

Quick Recap:

The document has been designed to drop a first malicious component likely belonging to the APT28 / Fancy Bear arsenal.

A quite high rate of code reuse and internal analysis confirm it ‘s a SedUploader variant.

Meta-data and others investigations seem to suggest that the malicious infrastructure and components have been setted up only few days ago (at the end of November 2018).

Some images about the domain name creation date


 and the service setting up


On the basis of what i can observe in samples and public data, following there is a timeline reconstruction about the development of the operation:


Technical Details:

A screenshot of part of the decoy attached is shown following:


This spear-phishing document (md5: 43D7FFD611932CF51D7150B176ECFC29) is armed with macro code designed to work primarly through the main event controlled by sub AutoOpen().

On offset 0x00006460 the .bin embedded content.


On macro activation the instructions are designed to read specific xml node of the document itself through xmlParser and extract / decode the base64 encoded content from XPath


Extracted VBA macro code seems to be very similar to that used previously in APT28 / Fancy Bear “hospitality campaign”.

Following an image which compares an extract of the two codes:


The payload is no more than a PEDLL executable file.

This is dropped under




Files are written with vbHidden attributes.

Following a part of base64 encoded payload:


Macro instructions within sub_AutoOpen() function are designed to achieve persistency also, writing under the following RegKey


with a REG_SZ value

C:\Windows\System32\rundll32.exe “%ALLUSERSPROFILE%\UpdaterUI.dll “, “#1″”


 First run performed through WMI


sub_AutoClose() has similar functionality writing a PE with a rnd generated name under %TEMP% which appears to be executed via PowerShell.


The content dropped seems to be a  SedUploader variant identified with MD5 hash: 549726B8BFB1919A343AC764D48FDC81

Some details about:


From the malware components under my lenses, the actor is proposing the same TTPs observed in similar operations conducted in the past.

I performed at first a statical / comparative code analysis of the malicious executable, obtaining the following results:


Malware family was confirmed later by Intezer platform. View their report here

Looking at some DNS statistical hits observed for the domain name extracted, may be that at least one of these spear-phishing documents achieved the mission of first phase access. Obviously, no truth about it [really still few statistics about].

Finally, a quick high level exploding of the main cycle of the malware is reported following:


The outside word is contacted through requests like these:

[+] POST hxxps://beatguitar.com/aadv/gJNn/X2/ep/VQOA/3.SMPTE292M/?ct=+lMQKtXi0kf+3MVk38U=

[+] POST hxxps://beatguitar.com/n2qqSy/HPSe0/SY/yAsFy8/mSaYZP/lw.sip/?n=VxL0BnijNmtTnSFIcoQ=

after to have collected several infos about the victim system and to have performed some minimal anti-VM and connectivity checks [requesting legitimate services].

The first list of IoC reported and components under analysis are compatible with the modus operandi of group in question (domain registration, technologies in placecomponentsfingerprint). The activity is in line with the actor mission also.

At time of writing, some others  further malicious domain names possibly related to the campaign are under investigations. Anyway, analysis is ongoing.


domain name: beatguitar[.]com

IP: 185.99.133[.]72

md5: 43D7FFD611932CF51D7150B176ECFC29 [Spear-phishing DOC]

md5: 549726B8BFB1919A343AC764D48FDC81 [SedUploader / SofacyCarberp]

File name: NATO Simulation.doc

File name: UpdaterUI.dll

File name: Uplist.dat

Persistency: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UIMgr


FireEye: APT28 targets hospitality sector

PaloAlto Unit42: Sofacy Attacks Multiple Government Entities

ESET Research: Sednit update: Analysis of Zebrocy


Leave a Reply to Daren Cancel reply

Your email address will not be published. Required fields are marked *