Sofacy APT Adopts New Tactics and Far East Targets

Faybert

Level 24
Thread author
Verified
Top Poster
Well-known
Jan 8, 2017
1,320
CANCUN, Mexico – A new analysis of the Russian-speaking Sofacy APT gang shows a continual march toward Far East targets and overlapping of activities with other groups such as Lamberts, Turla and Danti.

Researchers at Kaspersky Lab this morning at its Security Analyst Summit, released their update on Sofacy, also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report shows how Sofacy is continuing to evolve in 2018.

Most intriguing to researchers is the overlap between Sofacy and the English-speaking threat actor behind the Lamberts, also known as Longhorn. Researchers made the discovery connecting the two APTs when the presence of Sofacy was found on a server in China belonging to a company with ties to the aerospace and defense industry. The server was previously identified as compromised by Grey Lambert malware.

In this case, Sofacy’s SPLM (aka Xagent, aka CHOPSTICK) tool was found on the server, but it’s unclear what tactics were used by the APT to plant the malware. Researchers theorize a Power Shell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.

The samples of SPLM that researchers examined demonstrate how Sofacy now maintains “distinct subdivisions for each of its main tools, with clusters for the coding, development and targeting of SPLM, GAMEFISH, and Zebrocy,” according to Kaspersky researchers.
....
....
....
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top