Delaware, USA – July 17, 2018 – Researchers from CSE Cybsec discovered a new APT campaign conducted by the infamous Fancy Bear group. The recent cyberespionage campaign of APT28 targeted Italian military organizations. Researchers discovered 4 versions of the dropper written in Delphi, which downloads a modified version of the modular multiplatform X-Agent backdoor that was repeatedly used by Fancy Bear APT group. The droppers are disguised as jpg files, and after the execution, they send collected information about the system through HTTPS and download the next component implementing a persistence mechanism on the infected system. X-Agent malware sends encrypted requests to the command and control server to obtain the required modules. The researchers could not download them, because the attackers either disabled the C&C server or blocked requests that do not meet the specified IP address pool. However, they are sure that one of the modules is the sdbn.dll file, discovered at about the same time as the droppers. Analyzing the code of the final payload, the researchers consider that the primary target of Fancy Bear is Marina Militare and its subcontractors.
The campaign targeted Italian military corporation started in June. It’s not known how adversaries spread malware, but Fancy Bear group usually sends carefully crafted phishing emails to their victims bypassing most security tools. For the timely detection of cyber espionage campaigns at early stages, you can use SIEM and APT Framework from Threat Detection Marketplace that helps detect any signs of APT attack.