Rewterz Threat Alert – APT28 (FancyBear) Attacks on NATO and Central Asian Targets

Severity

Medium

Analysis Summary

APT-C-20, also known as (APT28, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, STIONTIUM, etc.), is an APT organization with a military intelligence agency background. The organization’s main targets are government agencies, diplomatic agencies, and scientific research institutions in North America, Central Asia, and Europe. APT28 has used zebrocy downloader many times in historical attacks. Zebrocy downloader includes delphi version, nim version, autolt version, VB.NET version, Visual C++ version, C# version and go version. The main function of zebrocy downloader is to collect information on the target computer. After the target is confirmed, the next stage of attack components is implanted. In a suspected attack on NATO targets, APT28 used the nim version of zebrocy downlaoder to attack. The decoy in the form of a compressed package attachment is still used, but this attack uses a niche compressed package format in ARJ format. The compressed package contains a nim zebrocy downloader and decoy files. Multiple test versions of nim zebrocy downloader of APT28 were also discovered in July and August. Nim zebrocy downloader is similar in function to delphi zebrocy downloader, mainly to obtain the information of the target computer, and to obtain screenshot information, and send the data to C2. Mainly after obtaining user information and uploading it to C2, the function of executing system commands is performed. After the sample is launched, it is judged whether the file name contains 2020. If it does, downloader is copied to C:\Users\purple\AppData\Roaming\Controller\scrssl.exe, and then executed. When the file hit does not contain 2020, a scheduled task named Windows\Component\ModuleUpd will be created and run every three minutes to achieve persistence.

Impact

• Data Exfiltration
• Unauthorized Command Execution

Indicators of Compromise

MD5

• b66c2aa25d1f9056f09d0a158d20faef
• fafd702197d758ce2687706336750660
• d5e45a9db7f739979105e000d042f1fe
• c74aa42b41ec44571a3f4e167b01c53c
• 93150535f9dcd9f7e169e255264c787a
• d21a025e6ba0db784abb1d086b67d3df
• 98e304e28a51acd92a363346c2b02b2f
• 72552ef22b484f8868dab10b0f605779
• 573247af55b015d48ab7f6d7d0d6f1db
• 8103bffc16f8fb3e55028a62e1a004f8
• a14c1fd7b59b34515e6a8a286114c48f
• 855005fee45e71c36a466527c7fad62f
• c4a0448925980eacbd22c2dd4869a1c7
• 009f073f66b24677cf7ad66818fe4509
• 3792380fd7512cc2ec9b28a686edb0e9

SHA-256

• e6e19633ba4572b49b47525b5a873132dfeb432f075fbba29831f1bc59d5885d
• 468b11cbd5710e6a2c7b9ff9409f8310f1cd59707e39b73cf21cb690cca8b287
• aac3b1221366cf7e4421bdd555d0bc33d4b92d6f65fa58c1bb4d8474db883fec
• d61350d77b7762bfe9ecb1d0a660c69d9854192ab69967743c3d86cd2623b7f9
• 1c12cf14d3dbdefd069635d57673258839bf95407674bea01f8d8f9801560dde
• d3fe567f183be17370a7a3f034ba2722c760d34e6b40aace4a2b606294373efb
• 7f698295230f59c7ca8193322eb48d71cd203f3675139f2da99e326589bfdad3
• 6449d0cb1396d6feba7fb9e25fb20e9a0a5ef3e8623332844458d73057cf04a1
• 07e0b509288c501c57cc8f11b88ac8c06e379b01b74cd910d93cfdff1f9dd7ec
• eb81c1be62f23ac7700c70d866e84f5bc354f88e6f7d84fd65374f84e252e76b
• fae335a465bb9faac24c58304a199f3bf9bb1b0bd07b05b18e2be6b9e90d72e6
• d5d9210ef49c6780016536b0863cc50f6de03f73e70c2af46cc3cff0e2bf9353
• e39aa9b3c9b95311fe951541f733972858fe724fb5265247f2b6b37ff97356ef
• 45bf0e2037b43478e39a06ab23ac5d7a7156c37f8dc38e8da482078bdfe672c5
• 3c93800b31bf6c2897ce2d8ce363c33f3a9cf468adfaa5b0c507de6084970b49

SHA1

• 537224111b8e5bdce214d408c07774894ae3ea24
• bad14008dfcb7ea3b86e4568e4c1c707c88ab20e
• 99c6c6fb3ff79680f8cefeaee0b019993e05fa0d
• 57bd3192b98c610c53de79f40efe93efa96e6d58
• bef9c4e3eac1062d0271e25b4b36d404bf3b3636
• c9fba83b6a918ccf8aeb3b5522ee28e0065aaa92
• 3dc62f224d812a3a958fa766ff6d175579856743
• 40ef7b08f271cee4482f01b820d1c54e0fdf9d89
• 9b717d50ee312b4841b919fcbe5c129610980b03
• 77857a6a78f87fd2871ab3077e87e006eaff54e7
• d7bf3ea3966f0399acfc3886ec66a7ca4d1675bf
• bfe3e62770c8a4479d19ee4208410199b7484924
• c76b54eecba442f800d899f2da4a7b5a8d8595be
• da1df0dbfe05486e518ed73b567e4b1635638f5a
• 6306fdf3d5bdde6a354fc6329541bf43f118cab1

Source IP

• 31[.]7[.]62[.]103
• 194[.]32[.]78[.]245

URL

• http[:]//31[.]7[.]62[.]103/tleaw[.]php
• http[:]//194[.]32[.]78[.]245//protect/get-upd-id[.]php

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.
• Do not respond to unexpected emails.