apt28 sofacy

The attack activities by suspected APT28 with document as decoy

Introduction

QiAnXin researcher captured two uploaded samples from the Kazakhstan region. The samples used the information of Kazakhstan’s Kazchrome company as a bait. Kazchrome is said to be the world’s largest high-carbon ferrochrome producer.

The victim is induced to enable the malicious macro. Once the is enabled, the malicious macro will release the remote control Trojan to the computer for execution. After analysis and traceability, it is found that the Trojan that is released is suspected to be a variant of Zebrocy commonly used by the Fancy Bear group.
The Fancy Bear group has various aliases for it in the industry: APT28, Sednit, Pawn Storm, Sofacy, STRONTIUM. It mainly carries out cyber attacks against the Caucasus and NATO. Recently, its targets are increasingly appearing in Central Asia. The main attack areas are For the government military and security group.

The group has been active in recent years, and its target is more and more countries. Its Zebrocy family Trojans include Delphi, GO, AutoIT and other language versions. The attack methods are complex and changeable, and it is a highly skilled attack group.

The sample decoy names obtained were all in Russian, and they all used the same malicious to attack. The type of decoy was disguised as a memo and the registration form of the high-carbon ferrochrome producer Kazchrome to induce the victim to enable the macro. The bait information is shown below.

apt28 document

The code will decrypt and execute the PE file. Through correlation analysis, it is found that this sample has similar codes to the sample of the group in 2019, and this time C2 is also stored in hexadecimal string, which is similar to the previous common methods. In summary, we determined that the man behind the attack is suspected to be the source of the APT28 group.

zebrocy

IOCs

https[:]//www.xbhp.com/dominargreatasianodyssey/wp-content/plugins/akismet/style.php
https[:]//www.c4csa[.]org/includes/sources/felims.php


49696043b51acca6ced2ab213bd4abef
c9a43fd6623bf0bc287012b6ee10a98e
df6c6ee05898ce35ce5963ff0ae2344d
fc0b7ad2ae9347d6d2ababe2947ffb9f7cc73030
71b4b9f105de94090fc36d9226faaa1db6d9f3d1
afbdb13d8f620d0a5599cbc7a7d9ce8001ee32f1
3b548a851fb889d3cc84243eb8ce9cbf8a857c7d725a24408934c0d8342d5811
1dd03c4ea4d630a59f73e053d705185e27e2e2545dd9caedb26a824ac5d11466
ee7cfc55a49b2e9825a393a94b0baad18ef5bfced67531382e572ef8a9ecda4b