Delaware, USA – October 18, 2019 – The campaign of the Russian APT group began in 2013 and remained undetected until recently. Researchers from ESET named it Operation Ghost, its targets were the US embassy of a European Union, as well as ministries of foreign affairs in several European countries. In addition to the well-known APT29 tools, attackers used three new malware families. Since 2014, the group has been using well-known websites such as Reddit, Imgur, or Twitter to host encoded data about command-and-control infrastructure, instead of hardcoding this information into PolyglotDuke malware, which allowed them to hide C&C servers for a long time and change addresses on the fly. PolyglotDuke was used as a downloader for the next-stage malware. The second malware, RegDuke, is designed to reinfect the victim in the event of a compromise detection. This fileless tool hides in the registry of the infected machine and receives the URL for C&C communications from a legitimate-looking image hosted on Dropbox. The last tool discovered is the group’s new main backdoor, called FatDuke due to its ‘abnormal’ size – 13MB and it is used by APT29 only against the most important targets. The sheer size of the backdoor is due to additional measures to avoid the detection of malicious code and its activity.
APT29 periodically disappears from the radar of researchers, then reappears after the discovery of another sophisticated cyber espionage campaign, but never stops their malicious activity. The malware they create allows attackers to remain undetected on a victim’s network for years. You can learn the group’s techniques in the Threat Detection Marketplace in MITRE ATT&CK section: https://tdm.socprime.com/att-ck/