sb-eu logo
Story image

ESET researchers break down latest arsenal of the infamous Sednit group

23 May 2019

Researchers at the ESET R&D centre in Montreal have just published findings on their latest investigation into the infamous Sednit Group.

For several years, the Advanced Persistent Threat (APT) group Sednit (also known as APT28, Fancy Bear, Sofacy or STRONTIUM) has been attacking targets in Europe, Central Asia and the Middle East.

Since then, the number and diversity of component tools have increased drastically. As part of this discovery, ESET looked at Sednit’s backdoor Zebrocy, the capabilities of which have now increased, thanks to the ability to issue more than 30 different commands to compromised computers and gather considerable amounts of information about the target.

Zebrocy finishes its work rapidly as well: Once the backdoor sends basic information about its newly compromised system, the operators take control of the backdoor and start to send commands right away. Hence, the time between the victim running the downloader and the operators' first commands spans only a few minutes.

At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components. However, it is unusual for the group to use this technique to deliver one of its malware components directly.

“Previously, it had used exploits to deliver and execute the first-stage malware, while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain,” explains ESET team lead Alexis Dorais-Joncas.

ESET has recorded at least 20 clicks on the malicious link, however, the overall number of victims is impossible to estimate.

“Unfortunately, without the email message, we don't know if there are instructions issued to the user, either, if there is any further social engineering, or if it relies solely on the victim's curiosity. The archive contains two files; the first is an executable file, while the second is a decoy PDF document,” adds Dorais-Joncas.

First commands gather information about the victim's computer and environment, while other commands are used to retrieve files from the computer if the operators become aware of the presence of interesting files on the machine.

“The detection ratio is definitely lower in comparison to the usual backdoors. The very short time frame during which this backdoor is on the system and operating makes it harder to retrieve. Once its operators complete their evil deeds, they quickly remove it,” concluded Dorais-Joncas.

Story image
Why it’s essential to re-write IT security for the cloud era
Key components of network security architecture for the cloud era should be built from the ground up, as opposed to being bolted on to legacy solutions built for organisations functioning only on-premises or from only managed devices.More
Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
Proofpoint enhances security awareness training platform
Available in Q4 2020, the platform will integrate more closely with Proofpoint’s best-in-class threat intelligence.More
Story image
Sophos named mobile security Leader in IDC MarketScape
Sophos Intercept X for Mobile has capabilities in protecting Android, iOS and Chrome OS users from known and never before seen mobile threats.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More