A Look Inside Fancy Bear

综合技术 2018-12-07 阅读原文

What is Fancy Bear?

APT28, a highly advanced attack also known as Fancy Bear , is associated with the Russian military intelligence agency GRU. Recently, The NATO organization was targeted by APT28 using a spear phishing technique that leverages emails with a malicious document attached. The attack is designed to first drop a malicious component, which is an indicator of the APT28 technique.

A Look Under the Hood .

Perception Point’s platform is uniquely able to x-ray this technique at a level that sandboxes or CDR’s can’t, so we passed it through our system in order to understand its inner workings. Our technology recorded the full execution flow, before the attack could be masked, and identified attempts to execute payloads.

Below is a detailed analysis of the attack and the damage it could have inflicted.

The key actions of Fancy Bear include:

  • An attempt to evade AVs by using several advanced techniques.
  • An attempt to run malware in the form of an executable file


Attachment Analysis .

  1. Docx files are basically zip files with multiple xmls by design. In this attack, Perception Point’s engines identified malicious activity consisting of the following stages:

    The first stage is a docx file with an embedded VBA script that decoded a base64 payload from an xml file. The second stage is creating persistence on the end-user’s system and executing the payload.

    The docx file as viewed by Perception Point’s platform

  2. In the first stage Perception Point platform extracted a VBA script from the file. Once this script was analyzed, an interesting way to execute the payload was detected in the one of the xmls ( app.xml ) that is used by Microsoft Word, and the payload was decoded from base64 encoding.

    The function that decode the execute file from one of the xml .

    The xml with the payload encoded in base64 .

    Decode the base64 encryption we can find the MZ

  3. In the second stage, the VBA script saved the executed files in the autorun folders %APPDATA%Uplist.dat and %ALLUSERSPROFILE%UpdaterUI.dll :

    The parts of the script that save the payload

  4. The script continues and creates persistence by using a WMI service and the registry.
    The WMI service, is configuring rundll32.exe to eventually load %APPDATA%Uplist.dat by default after the machine is rebooted. The registry is configured to use a predefined key called ” HKCUSoftwareMicrosoftWindowsCurrentVersionRunUIMgr ” and replaces its value with “%ALLUSERSPROFILE%UpdaterUI.dll ”. In the final wscript shell, the command line to execute the malware (after removing the obfuscation) is:

    c:windowssystem32rundll32.exe %ALLUSERSPROFILE%UpdaterUI.dll

    The persistence has been setted


Executable File Analysis .

  1. As part of the analysis, we scanned the file in VirusTotal to see if this dll is known in the industry. We found out that the file is already known and identified as “ Trojan.Sofacy​​ ” in the VirusTotal engines:
    File hash: 0a842c40cdbbbc2bf5a6513e39a2bd8ea266f914ac93c958fda8c0d0048c4f94
  2. We found that the malicious dll is trying to communicate with a C2 server using HTTP to 185[.]99[.]133[.]72 and waiting for new commands to execute.

    The HTTP connection the dll makes with the C2

  3. In order to evade AV and endpoint protection the malicious dll uses sleep function to go under the radar.
    The Sleep function to evade AV detection

Summary .

This attack is very sophisticated, which is common to techniques used at the nation-state level. If leveraged against a private enterprise with the typical security solutions, it very likely could have had great impact as it is as it was well-disguised and very effective once released.

Our platform can detect this thanks to our ability to unpack multiple layers combined with our HAP (Hardware-Assisted Platform), which sees attacks at the initial stage of code execution.

Learn more about our technology

Learn More

责编内容by:Perception Point 【阅读原文】。感谢您的支持!


基于Glide V4.0封装的GlideImageView,可监听加载图片时的进度... GlideImageView 是基于 Glide V4.0设计的,实现如下特性: 1、通过提供的属性可以设置图片的圆角、边框。 2、可以设置点击触摸图片时的颜色、透明度。 3、一行代码加载来自网络、res、S...
仅仅是“0元购”?微信支付XXE漏洞竟如此可怕... 【PConline 杂谈】不知各位近日是否也有所耳闻,就是在微信JAVA版本的SDK中,发现了一个XXE漏洞。要知道,我们在使用微信进行支付时,收款方需要提供通知网址来接受异步支付结果。有了这个漏洞,攻击者不仅可以0元购物,还可能倒卖用户...
MTVF and CE Model Variation This is a note about multi-statement table valued functions (MTVF) and how their cardinality is estimated in the new CE ...
First Responder Kit Release: Driving Miss Data Ugh. Bungabase slow. When Grog try count meat, Glug eat meat. Then Grog get hungry and Glug try count meat. Bungal...
Completely remove AdView I have an AdView defined in my Layout 's XML and I want to make it disappear if the user bought the ad-free versi...