Fancy Bear, aka APT28, is a Russian state-sponsored menace actor. The group is again in motion and using a brand new code execution technique that exploits mouse motion in MS PowerPoint recordsdata to distribute Graphite malware.
In your info, APT28/Fancy Bear is linked with a Russian navy intelligence unit known as GRU. This is identical group that was blamed for hacking MH17 flight crash investigators with a spear-phishing marketing campaign in October 2016. In 2018, the group was accused of sending loss of life threats to US military wives posing as ISIS.
Marketing campaign Particulars
Based on menace intelligence agency Cluster 25, Fancy Bear used mouse actions in MS PowerPoint displays to execute a malicious PowerShell script. The group leverages the SyncAppvPublishingServer utility for this objective.
In its technical report, Cluster25 said that the assault begins proper after the person runs the presentation mode and makes use of the mouse. A PowerShell script is run, and a dropper from OneDrive is downloaded and executed.
The .ppt recordsdata have two slides with directions in French and English, whereas the interpretation choice is accessible within the Zoom app. The picture file is an encrypted DLL file, which is decrypted and dropped within the ‘C:ProgramData’ listing,’ it’s run later by rundll32.exe, and a registry key can be created to make sure persistence.
The dropper is a harmless-looking picture file that features as a pathway for a follow-on payload. It is a Graphite malware variant. It makes use of the Microsoft Graph API and OneDrive to hold out C2 communications and retrieve extra payloads. Fancy Bear makes use of a sound OAuth2 token and a hard and fast shopper ID to entry the service.
Extra Fancy Bear Information
- Anti-theft software program LoJack hijacked by Fancy Bear
- Republican & Conservative leaders focused by Fancy Bear
- Fancy Bear Spy on VIP Lodge Friends with Leaked NSA Instrument
- Fancy Bear’s VPNfilter malware is again with 7 new modules
- Hackers alter stolen emails for clandestine assaults in opposition to Putin’s critics
Assault Technique Evaluation
The assault, in line with the corporate’s report, entails utilizing a lure doc with a template linked to the Parish-based entity OECD (Group for Financial Co-operation and Improvement).
Researchers famous that these assaults are ongoing for the reason that URLs used within the assault had been lively between August and September. Nonetheless, in addition they mentioned that hackers had began prepping for the marketing campaign in January.
“When opening the lure doc in presentation mode and the sufferer hovers the mouse over a hyperlink, a malicious PowerShell script is activated to obtain a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.”
Cluster 25
Potential Targets
this marketing campaign’s potential targets embody people and organizations within the authorities and protection sectors. Fancy Bear is primarily focusing on entities in Jap Europe and Europe. This means that Fancy Bear goals to attain particular targets, contemplating the geographic focus of the gang.
