No summer vacations for Zebrocy (Sep 24, 2019)
The threat group APT28 (Sofacy, STRONIUM, Sednit or Fancy Bear) initiated a new campaign over the summer which was detected by the ESET security team. According to ESET researchers APT28 have targeted Ministries of Foreign Affairs across Eastern Europe and Central Asia much like previous campaigns. One of the distinctive aspects of this campaigns appears to be a development in the threat groups toolset; their downloader has been developed using the NIM programming language. However ESET researchers have observed that the campaign tactics of this group are quite “loud”. This is because the victim will have several downloaders installed on their machine before the final backdoor payload.
Recommendation: The new campaign by APT28 is considered loud because of the high number of malicious activities that takes place before the delivery of the backdoor. This should therefore be easily detected and caught with well placed security appliances. Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.