Sofacy Cyber-Espionage Group Resurfaces with New Backdoors and Zero-Days

[Exterminator]

Content source

http://news.softpedia.com/news/sofacy-cyber-espionage-group-resurfaces-with-new-backdoors-and-zero-days-497164.shtml

A 7-year-old advanced persistent threat (APT) group known under different names has made a comeback this year, employing new tools to infiltrate high-profile targets like governments and defense contractors, reports Kaspersky Labs' GReAT (Global Research and Analysis Team) division.

APT28, Sofacy, Fancy Bear, Sednit, or Strontium are all names given to this group by various cyber-security vendors that have analyzed their operations. The most recent of them is Microsoft, who included them as the featured threat in their recent Security Intelligence Report Volume 19 report.

Sofacy now uses double-headed backdoors
Today, Kaspersky is shedding more light on this group's operations, revealing some of the tools and techniques they've used against a defense contractor in the course of August this year.

Sofacy, as Kaspersky calls them, diversified its hacking arsenal this year with the addition of a set of more complex backdoors (AZZY family), all interchangeable and used together, one as a fallback in case the others don't manage to get a foothold on targeted systems.

Additionally, attackers also employed modularization techniques when putting together their malware, and now pack only the bare minimum in each threat, loading more code via modules sent from the C&C server when system scans on infected targets show vulnerable software ready to be exploited.

This technique was used for the backdoors themselves, as Kaspersky staff explains: "Separating C&C communications functions from the main backdoor is also a way of decreasing visibility of the main backdoor."

"As it doesn’t directly transmit data outside the attacked computer, it looks less suspicious from a security point of view," said Kaspersky, referring to the fact that Sofacy employed side-loaded DLLs to hide the backdoor's location and communicate with the C&C server.

Sofacy developed a new infostealer targeting USB storage devices
Furthermore, the group also used a new infostealer targeting USBs, dubbed USBSTEALER, malware that watches removable drives, secretly stealing and exfiltrating data whenever new devices are connected to an infected PC.

All stolen data is stored in a hidden directory on infected computers and sent through the AZZY backdoors to Sofacy's servers.

USBSTEALER was first seen in February 2015 and was used only on high-profile targets.

All initial Sofacy infections relied on six zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself.

 

[LabZero]

The Advanced Persistent Threats are targeted attacks, using sophisticated techniques employing next-generation malware and reusing old codes combined with different types of instruments and, above all, implementing a constant observation of the target.
The configuration file is quite variable and change patterns and attack targets in a dynamic manner.

 

[tina whittington]

The Advanced Persistent Threats are targeted attacks, using sophisticated techniques employing next-generation malware and reusing old codes combined with different types of instruments and, above all, implementing a constant observation of the target.
The configuration file is quite variable and change patterns and attack targets in a dynamic manner.

hi I don't know if this is relevant but I have been getting phone calls saying we have download a virus they claim to be calling from Microsoft and wanted me to turn on the computer I told them I couldn't as im staying at my sisters and she wasn't here I asked for a number but they said theyd call back is this a scam do you know and how do we check please if anyone knows, thanks tina