'Fancy Bear' Hacking Group Adds New Capabilities, TargetsRussian Group Uses Revamped Backdoor to Target Embassies, Researchers Say
The Russia-based cyberespionage group Fancy Bear, which has led high-profile cyberattacks against governments and embassies over the last several years, has launched a phishing campaign that includes a redesigned backdoor, according to research from security firm ESET.
The campaign by Fancy Bear, also known as APT28, Sofacy, Strontium and Tsar Team, has been active since Aug. 20. The group, affiliated with the Russian military intelligence agency GRU, was tied to the hack of the Democratic National Committee.
Now, Fancy Bear is mainly targeting ministries of foreign affairs and embassies in Eastern Europe and Central Asia, the researchers say. Investigators also found evidence of a redesigned backdoor as well as a new downloader that the hackers created using Nim, a new type of programming language the combines aspects of Python, Ada and Modula.
This latest campaign involves phishing emails sent to victims that contain a malicious attachment, the researchers say. If the target opens the attachment, downloaders are launched, ending with the installation of the backdoor within an infected device, the report notes.
That backdoor is written in the Golang or Go programing language - another addition to the group's toolset, the researchers note.
ESET researchers did not reveal the name of the embassies targeted in this latest campaign, but the report notes that the campaign remains active.
One reason why ESET may have detected this new backdoor now is that Fancy Bear hackers made a decision to switch tactics and tools to better evade security detection by the organizations that the group is targeting. That’s one reason why Fancy Bear is using tools such as the Golang and Nim programming languages, ESET researchers say.
"While it is impossible for us to know exactly why they are doing it, a likely explanation is to try to circumvent security solutions that are already detecting other variants of their tools," an ESET researcher tells Information Security Media Group. "It could also make attribution harder as it is easier to attribute back to a group a variation of a specific tool written in a specific language than it is with one written in a completely new language."
The August attacks started with a phishing email that contained an attached Microsoft Word document, although it appeared to the victim that this particular file is blank, according to the researchers. The email also contains a reference to a Dropbox template that includes a link - wordData.dotm - according to the report.
In addition to using the new programming languages to rewrite their malicious tools, Fancy Bear's use of Dropbox to help deliver additional code is also new, ESET says.
"The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group," according to the report.
If a victim clicks the link for the Dropbox template, it starts downloading malicious macros in the background that include the Nim-based downloader as well as a Trojan that ESET calls Zebrocy, the report notes.
The Nim-based downloader is only one part of a six-step process of this attack. Once all those other components are downloaded, the final payload is delivered: The backdoor that is written in Golang, the researchers say.
This new backdoor is similar to previous backdoors deployed by the Fancy Bear group, but written in a different programming language. In addition to sending data back to the command-and-control server and using encryption to hide communications, these other shared features include:
- File manipulation, such as creation, modification and deletion;
- Screenshot capabilities;
- Drive enumeration;
- Command execution.
- Scheduling tasks within a part of Windows that allows the attackers to maintain persistence within an infected device.
"It seems that [Fancy Bear] is porting the original code to, or reimplementing in, other languages in the hope of evading detection," the ESET report says.
Tracking Fancy Bear
Active since about 2004, Fancy Bear reportedly has ties to the Russian government as well as the Main Intelligence Directorate for Russia's Military, or the GRU.
The group has been tied to several high-profile attacks, including the hacking of emails from the Democratic National Committee during the 2016 U.S. Presidential Election (see: Feds Indict 7 Russians for Hacking and Disinformation).
In 2017, Fancy Bear allegedly attempted to sway the 2017 French presidential election by publicizing a dump of hacked data belonging to the staffers of then presidential-aspirant Emmanuel Macron. The hacked data included emails, accounting documents and contracts of the people involved in Macron's campaign movement (see: Au Revoir, Alleged Russian 'Fancy Bear' Hackers ).
In November 2018, the group turned its attention back to the U.S. and led a targeted attack against the Senate. According to a report by Trend Micro, the group launched several phishing sites that mimicked the Senate's Active Directory Federation Services to gain access privileges to several government systems and applications (see: Fancy Bear Targets US Senate, Security Researchers Warn).