apt28 sofacy

The attack activities by suspected APT28 with document as decoy


QiAnXin researcher captured two uploaded samples from the Kazakhstan region. The samples used the information of Kazakhstan’s Kazchrome company as a bait. Kazchrome is said to be the world’s largest high-carbon ferrochrome producer.

The victim is induced to enable the malicious macro. Once the is enabled, the malicious macro will release the remote control Trojan to the computer for execution. After analysis and traceability, it is found that the Trojan that is released is suspected to be a variant of Zebrocy commonly used by the Fancy Bear group.
The Fancy Bear group has various aliases for it in the industry: APT28, Sednit, Pawn Storm, Sofacy, STRONTIUM. It mainly carries out cyber attacks against the Caucasus and NATO. Recently, its targets are increasingly appearing in Central Asia. The main attack areas are For the government military and security group.

The group has been active in recent years, and its target is more and more countries. Its Zebrocy family Trojans include Delphi, GO, AutoIT and other language versions. The attack methods are complex and changeable, and it is a highly skilled attack group.

The sample decoy names obtained were all in Russian, and they all used the same malicious to attack. The type of decoy was disguised as a memo and the registration form of the high-carbon ferrochrome producer Kazchrome to induce the victim to enable the macro. The bait information is shown below.

apt28 document

The code will decrypt and execute the PE file. Through correlation analysis, it is found that this sample has similar codes to the sample of the group in 2019, and this time C2 is also stored in hexadecimal string, which is similar to the previous common methods. In summary, we determined that the man behind the attack is suspected to be the source of the APT28 group.