A new analysis of the Sofacy APT gang, a Russian-speaking group carrying out targeted attacks against military and government offices for close to a decade, shows a relentless wave of intrusions peaking this summer against victims in a number of NATO countries and the Ukraine.

Researchers at Kaspersky Lab this morning released their update on Sofacy, which is also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report demonstrates a barrage of zero-day vulnerabilities in Office, Java, Adobe and Windows at the group’s disposal; the zero-days are being used against targets in attacks that remained active as of last month. The gang’s malware implants were uncovered as well as its capabilities to quickly adapt to detection technologies and hit compromised machines with different backdoors so that in case one was found out, there would be fallbacks.

Sofacy’s roots go back to around 2007, Kaspersky researchers said, with the name coming from an implant used in attacks four years ago that shared some similarities with the Miniduke APT gang uncovered by Kaspersky Lab in 2013 executing espionage activity against governments in Europe.

Sofacy’s rapid capability expansion began in 2013 when a number of new backdoors and malware tools were discovered, including CORESHELL, JHUHUGIT and AZZY among others.

This summer, the AZZY implant got a facelift and was used as recently as October along with a new USB-stealing malware designed to hit air-gapped machines.

In July, researchers at iSight Partners reported that Sofacy, or Tsar Team as iSight calls them, had dropped their sixth zero day exploit in four months, two of which in Office and Java were patched during a span of a few days in July.

“Usually, when someone publishes research on a given cyber-espionage group, the group reacts: either it halts its activity or dramatically changes tactics and strategy. With Sofacy, this is not always the case. We have seen it launching attacks for several years now, and its activity has been reported by the security community multiple times,” said Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab.

Five of the six zero days, iSight said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach. Given the underground value of unpatched and unreported vulnerabilities, this was highly unusual behavior, even for a state-sponsored cyberespionage team.

Kaspersky researchers said that it discovered the group was using a Flash and Java zero day to drop the JHUHUGIT malware implant, which became its most prevalent first-stage implant in subsequent attacks.

The updated AZZY Trojan, meanwhile, surfaced in August in attacks against higher profile victims, and including in one case, a defense contractor, Kaspersky researchers said. While the first sample was spotted on July 29 and signatures quickly added to security systems, Kaspersky researchers said that by Aug. 4, another sample was in the wild. What made the AZZY update stand out was that it was not delivered via a zero-day, instead it was delivered and installed by separate malware already on the system, a dropper called msdeltemp.dll that the attackers controlled via backdoors in order to send commands to infected machines.

“This code modification marks an unusual departure from the typical AZZY backdoors, with its C&C communication functions moved to an external DLL file,” Kaspersky researchers wrote in their report. “In the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularization follows the same line of thinking.”

In addition to traditional data-stealing capabilities, Sofacy also covets information stored on air-gapped machines and uses its USBSTEALER implant to drain these machines of valuable content.

This is behavior similar to that of the Equation group, one of the most sophisticated state-sponsored groups, which invested significant resources in developing more than 100 malware implants, each with their own purpose and used selectively against valuable targets.

“In 2015 its activity increased significantly, deploying no less than five 0-days, making Sofacy one of the most prolific, agile and dynamic threat actors in the arena,” Raiu said. “We have reasons to believe that these attacks will continue.”

Categories: Malware, Web Security

Comment (1)

  1. Andre Gironda
    1

    Actually, I find it a bit confusing why there are so many reliable Flash and MS-Office public exploits — yet the attackers continue to create new ones that are commonly detected.

    There is at least one Adobe Reader public exploit that is still under-the radar — why not use this instead? Of the six zero days used by APT28, only one remains without a test-case exploit and without known luajit (or similar) detection rules, CVE-2015-2424 (and the entire MS15-070 bundle, including CVE-2015-2375, CVE-2015-2376, and CVE-2015-2377, do not have open test-case exploits or detectors yet). However, CVE-2015-2424 is very similar to CVE-2012-0158 and CVE-2010-3333, which are the third and seventh most-known public MS-Office exploits. I can think of eight other zero days that are completely invisible — five of which can be immediately purchased or reversed into a reliable exploit (maybe not as reliable as
    CVE-2012-1856 or CVE-2014-6352, but these zero days are off-radar).

    For Flash, it’s the same. Why would APT28 use CVE-2015-5119? Not only has it been public for awhile, it’s also going to be detected. There are five public Flash exploits that stay under-the radar, one of which is from 2014! Even CVE-2011-2140 may be difficult to detect by comparison.

    If Java and Flash are runtime-capable less-and-less often, then why go after them at all? An MS-Office or Adobe Reader Flash exploit makes the least sense: it requires two or three apps are installed. This creates several opportunities, or layers, for detectors to get their job done right. Penetration testers have typically said that Flash exploits are the way to go because they are so versatile. I disagree and believe that straight-up zero days in Internet Explorer and Microsoft Edge will provide the most exploitability followed closely by Chrome (and other clients/services) for Android (although there are two processor types to consider).

Comments are closed.