Fancy Bear APT group refactored its backdoor and improved encryption to make it stealthier and harder to stop.
The operations conducted by Russian Fancy Bear APT group (aka Sednit, APT28, and Sofacy, Pawn Storm, and Strontium) are even more sophisticated and hard to detect due to.
According to a new report published by experts from security firm ESET, the APT group recently refurbished one of its most popular backdoor, Xagent, that was significantly improved by implementing new functionalities that make it more stealthier and harder to stop.
Vxers have redesigned the architecture of the malware so it has become harder to recognize previously discovered infection patterns.
The X-Agent backdoor (aka Sofacy) was associated with several espionage campaigns attributed to the APT group Fancy Bear, across the years, experts observed several strains of the X-Agent specifically designed to compromise Windows, Linux, iOS and Android OSs, and early 2017 researchers at Bitdefender spotted the first version of the X-Agent that was developed to compromise MAC OS systems.
The latest version of the X-Agent backdoor, the fourth one, implements new techniques for obfuscating strings and all run-time type information. Cyberspies upgraded some of the code used for C&C purposes and added a new domain generation algorithm (DGA) feature in the WinHttp channel for quickly creating fallback C&C domains.
ESET observed a significant improvement in the encryption algorithm and DGA implementation that makes domain takeover more difficult.
Fancy Bear also implemented internal improvements, including new commands that can be used for hiding malware configuration data and other data on an infected system.
The attack chain remained largely unchanged, the APT group Fancy Bear still relies heavily on “very cleverly crafted phishing emails.”
“The attack usually starts with an email containing either a malicious link or malicious attachment. We have seen a shift in the methods they use ‘in the course of the year’, though. Sedkit was their preferred attack vector in the past, but that exploit kit has completely disappeared since late 2016.” reads the report published by ESET. “The DealersChoice exploit platform has been their preferred method since the publication of our white paper, but we saw other methods being used by this group, such as macros or the use of Microsoft Word Dynamic Data Exchange.”
The group stopped using Sedkit exploit kit and has increasingly begun using a platform called DealersChoice, a Flash exploit framework also used by the group against Montenegro.
DealersChoice generates documents with embedded Adobe Flash Player exploits based on the target’ s configuration.
Fancy Bear’s operations are still focused on government departments and embassies all over the world.