Political targets at risk as Fancy Bear returns with refreshed backdoor malware


A recent attack campaign launched by Fancy Bear has revealed an updated set of tools including a backdoor written in a new language.

Fancy Bear, also known as APT28, Sednit, Sofacy, and Strontium, is an advanced persistent threat (APT) group which has been connected to an array of politically-motivated attacks.

Previous victims of the APT include the US Democratic National Committee (DNC), the World Anti-Doping Agency (WADA), the Ukranian military, the Association of Athletics Federations (IAAF), and various government entities.

Believed to be Russian and in operation since at least 2004, Fancy Bear is constantly developing and changing its weapons arsenal, including a variety of malware payloads such as Trojans and UEFI rootkits.

The cyberattackers may also have connections to Earworm, another politically-motivated group, given their use of shared command-and-control (C2) servers.

A new Fancy Bear campaign has been discovered by ESET. Launched at victims on the usual hit-list — including Ministries of Foreign Affairs and embassies across Europe and Asia — and tracked in August, the group is making use of phishing emails tied with heavy malicious payloads as well as a new backdoor system.

A new programming language has been added, Nim, that was designed to bring together aspects of Python, Ada, and Modula.

Nim compilers, to C, C++, or JavaScript, and its executables are supported by all major platforms including Microsoft Windows, Linux, and macOS, and it is in this language in which one of the malware’s downloaders has been written.

The phishing email contains a Word attachment that is blank but references a Dropbox-hosted remote template, wordData.dotm. The template has embedded malicious macros which execute lmss.exe, the new Nim downloader for the Zebrocy Trojan.

A dormant AutoIt executable is also hidden in the document that used to act as the downloader, but its presence is considered nothing more than a mistake and oversight given its inactive status.

Another downloader is fetched by the Nim module. This payload is written in Golang and is based on past Delphi code.

In total, six malicious modules are fetched in the attack chain before the final deployment of a Golang backdoor. The attackers will use these components to harvest basic machine information for transfer to their C2, as well as take screenshots every 35 seconds during the first few minutes of infection, conduct surveillance, and grab additional payloads and commands from the C2.

The cybersecurity researchers say this is the first time the Goland backdoor has been seen in campaigns. While it does not appear to have any persistence elements beyond the means for attackers to manually set it by scheduling tasks under Windows\Software\OSDebug, this module alone is able to create, modify, and delete files, enumerate drives, screenshot, and execute commands via cmd.exe.

“It seems that the Sednit group is porting the original code to, or reimplementing it in, other languages in the hope of evading detection,” ESET says. “It’s probably easier that way and it means they do not need to change their entire TTPs [Tactics, Techniques and Procedures]. The initial compromise vector stays unchanged, but using a service like Dropbox to download a remote template is unusual for the group.”