Russia APT28 updates its arsenal in ongoing campaigns

by do son · Published December 26, 2017 · Updated October 10, 2021

The Russia APT28 organization (also known as Sednit, Fancy Bear, Sofacy, Pawn Storm and Strontium) recently reconfigured the backdoor X-Agent by APT to make its backdoor more hidden by improving its encryption technology And difficult to stop. It is reported that X-Agent back door (also known as Sofacy) and “magic bear” several spies have a relationship.

According to a report published by security firm ESET, the current operation of X-Agent by the “magic bear” is rather complicated. Its developers implemented new features and redesigned the malware architecture to make X-Agent more difficult to detect and control:

X-Agent was specifically designed to target the Windows, Linux, iOS and Android operating systems and researchers earlier this year discovered the first version of X-Agent to use to disrupt MAC OS systems.

The latest version of the X-Agent backdoor implements new techniques to obfuscate strings and all run-time type information, upgrades some code for C & C servers and adds a new Domain Generation Algorithm (DGA) capability to the WinHttp channel for use with Quickly create a rollback C & C domain. In addition, there are significant improvements in encryption algorithms and DGA implementations that make domain name takeover more difficult. ESET observed that “fantasy bears” have also achieved internal improvements, including new commands that can be used to hide malware configuration data and other data from infected systems.

Although the “magic bear” on the X-Agent backdoor made many improvements, the basic attack chain remained unchanged. The organization still relies on phishing email for cyber attacks.

ESET reports that an attack usually begins with an email that contains a malicious link or malicious attachment. In the past, the Sedkit Exploit Kit was their preferred medium of attack, but such tools have completely disappeared since the end of 2016. At present, “Fantasy Bears” are increasingly using the DealersChoice platform, which was previously used by the Montenegro Republic to exploit the Flash exploit framework (eg, CVE-2017-11292 0-day) to generate embedded Adobe Flash Player Vulnerability Document.

Until now, the main target of hackers “fantasy bear” remains the government departments and embassies all over the world.

Read more: