Kaspersky Lab’s Global Research and Analysis Team has spotted new attacks by the Sofacy group which make use of several upgraded techniques designed for aggressive persistency and greater invisibility of malicious activity in the attacked system.
MOSCOW, 9-12-2015 — /EuropaWire/ — Sofacy (also known as “Fancy Bear”, “Sednit”, “STRONTIUM” and “APT28”) is a russian-speaking advanced threat group that has been active since at least 2008, targeting mostly military and government entities worldwide. Since appearing on the public radar in 2014, the group hasn’t stopped its activities. Moreover, Kaspersky Lab experts have discovered new, even more advanced tools in Sofacy’s arsenal.
New toolset:
- Interchangeable: The attackers use multiple backdoors to infect a target with several different malicious tools, one of which serves as a reinfection tool should another one be blocked or killed by a security solution.
- Modular: The attackers use malware modularization, putting some features of the backdoors into separate modules to better hide malicious activity in the attacked system. This is an increasingly popular trend which Kaspersky Lab sees regularly in targeted attacks.
- Air-gapped: In many recent (2015) attacks, the Sofacy group made use of a new version of its USB stealing implant, which allows it to copy data from air-gapped computers.
Resilience tactics and data exfiltration tool: how it works
In 2015, in what seemed to be a new wave of attacks, a target organization from the defense industry was hit with a new version of AZZY – a backdoor that is typically used by the Sofacy group to gain a foothold in the attacked machine and to be able to download additional malicious tools. Kaspersky Lab products successfully blocked this malware, and that should have been the end of the story. But what happened next was quite unusual: just one hour after blocking the Trojan, another – newer – version of this backdoor had been compiled by the attackers and downloaded to the target PC. This version evaded regular AV technologies, but was nevertheless detected dynamically by the host intrusion prevention subsystem (HIPS).
This recurring, blindingly-fast Sofacy attack attracted the attention of Kaspersky Lab’s experts and they started to investigate further. Very soon they discovered that this new version of a backdoor was downloaded not through a zero-day exploit (which was known to be the usual practice of Sofacy group) but with another implant that was detected after further investigation (and named “msdeltemp.dll” by its authors).
The Trojan, “msdeltemp.dll” is a downloader tool which allows attackers to send commands down to the infected machine and to receive data from it. It can also be used to upload a more sophisticated Trojan into the system. If the secondary backdoor is blocked by an antivirus product, the attackers can still use the msdeltemp.dll Trojan to grab a new version from the C&C and reinstall it on the attacked machine.
This is an example of using multiple backdoors for extreme resilience. The tactic itself is not new and Sofacy has been observed implementing it in the past. However, they previously used droppers to install the two backdoors SPLM and AZZY. If one of them was detected, the other one would provide the attacker with continued access. In the new wave of attacks their tactics changed: they now download a recompiled version of AZZY to replace the blocked one with no need to go through the whole initial infection process.
Separating C&C communications functions from the main backdoor is also a way of decreasing visibility of the main backdoor. As it doesn’t directly transmit data outside the attacked computer, it looks less suspicious from a security point of view.
In addition to the change in resilience tactics, Kaspersky Lab’s experts have detected several new versions of the Sofacy USB stealer modules, which allow data to be stolen from air-gapped networks. The USBSTEALER module is designed to watch removable drives and collect files from these, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory, from where it can be exfiltrated by the attackers using one of the AZZY implants.
The first versions of the new generation USB stealer module date back to February 2015, and appear to be geared exclusively towards high profile targets.
“Usually, when someone publishes research on a given cyber-espionage group, the group reacts: either it halts its activity or dramatically changes tactics and strategy. With Sofacy, this is not always the case. We have seen it launching attacks for several years now and its activity has been reported by the security community multiple times. In 2015 its activity increased significantly, deploying no less than five 0-days, making Sofacy one of the most prolific, agile and dynamic threat actors in the arena. We have reasons to believe that these attacks will continue,” – said Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab.
Protection strategies
Kaspersky Lab products detect some of the new malware samples used by Sofacy threat actor with the following detection names: Trojan.Win32.Sofacy.al, Trojan.Win32.Sofacy.be, Trojan.Win32.Sofacy.bf, Trojan.Win32.Sofacy.bg, Trojan.Win32.Sofacy.bi, Trojan.Win32.Sofacy.bj, Trojan.Win64.Sofacy.q, Trojan.Win64.Sofacy.s, HEUR:Trojan.Win32.Generic
To protect an organization against sophisticated targeted attacks, including those by Sofacy, Kaspersky Lab recommends using a multi-layered approach that combines:
- Traditional anti-malware technologies,
- Patch management,
- Host intrusion detection,
- Whitelisting and default-deny strategies.
Read more about how Kaspersky Lab products could help protect against Sofacy attacks in our Business blog.
Read our blog post about the Sofacy group at Securelist.com.
More information about the Sofacy group is available to customers of Kaspersky Intelligent Services. Contact:intelreports@kaspersky.com
Learn more about other Russian-speaking espionage campaigns discovered by Kaspersky Lab here.
Read more about what the APT landscape will look like in 2016
Watch how targeted attacks are discovered and investigated:
SOURCE: Kaspersky Lab
- Astor Asset Management 3 Ltd Inicia Investigación de Demanda Colectiva Contra Ricardo Benjamín Salinas Pliego de Grupo ELEKTRA por Manipulación de Acciones y Fraude en Valores
- Astor Asset Management 3 Ltd Initiating Class Action Lawsuit Inquiry Against Ricardo Benjamín Salinas Pliego of Grupo ELEKTRA for Stock Manipulation & Securities Fraud
- Digi Communications N.V. announced that its Spanish subsidiary, Digi Spain Telecom S.L.U., has completed the first stage of selling a Fibre-to-the-Home (FTTH) network in 12 Spanish provinces
- Natural Cotton Color lancia la collezione "Calunga" a Milano
- Astor Asset Management 3 Ltd: Salinas Pliego Incumple Préstamo de $110 Millones USD y Viola Regulaciones Mexicanas
- Astor Asset Management 3 Ltd: Salinas Pliego Verstößt gegen Darlehensvertrag über 110 Mio. USD und Mexikanische Wertpapiergesetze
- ChargeEuropa zamyka rundę finansowania, której przewodził fundusz Shift4Good tym samym dokonując historycznej francuskiej inwestycji w polski sektor elektromobilności
- Strengthening EU Protections: Robert Szustkowski calls for safeguarding EU citizens’ rights to dignity
- Digi Communications NV announces the release of H1 2024 Financial Results
- Digi Communications N.V. announces that conditional stock options were granted to a director of the Company’s Romanian Subsidiary
- Digi Communications N.V. announces Investors Call for the presentation of the H1 2024 Financial Results
- Digi Communications N.V. announces the conclusion of a share purchase agreement by its subsidiary in Portugal
- Digi Communications N.V. Announces Rating Assigned by Fitch Ratings to Digi Communications N.V.
- Digi Communications N.V. announces significant agreements concluded by the Company’s subsidiaries in Spain
- SGW Global Appoints Telcomdis as the Official European Distributor for Motorola Nursery and Motorola Sound Products
- Digi Communications N.V. announces the availability of the instruction regarding the payment of share dividend for the 2023 financial year
- Digi Communications N.V. announces the exercise of conditional share options by the executive directors of the Company, for the year 2023, as approved by the Company’s Ordinary General Shareholders’ Meetings from 18th May 2021 and 28th December 2022
- Digi Communications N.V. announces the granting of conditional stock options to Executive Directors of the Company based on the general shareholders’ meeting approval from 25 June 2024
- Digi Communications N.V. announces the OGMS resolutions and the availability of the approved 2023 Annual Report
- Czech Composer Tatiana Mikova Presents Her String Quartet ‘In Modo Lidico’ at Carnegie Hall
- SWIFTT: A Copernicus-based forest management tool to map, mitigate, and prevent the main threats to EU forests
- WickedBet Unveils Exciting Euro 2024 Promotion with Boosted Odds
- Museum of Unrest: a new space for activism, art and design
- Digi Communications N.V. announces the conclusion of a Senior Facility Agreement by companies within Digi Group
- Digi Communications N.V. announces the agreements concluded by Digi Romania (formerly named RCS & RDS S.A.), the Romanian subsidiary of the Company
- Green Light for Henri Hotel, Restaurants and Shops in the “Alter Fischereihafen” (Old Fishing Port) in Cuxhaven, opening Summer 2026
- Digi Communications N.V. reports consolidated revenues and other income of EUR 447 million, adjusted EBITDA (excluding IFRS 16) of EUR 140 million for Q1 2024
- Digi Communications announces the conclusion of Facilities Agreements by companies from Digi Group
- Digi Communications N.V. Announces the convocation of the Company’s general shareholders meeting for 25 June 2024 for the approval of, among others, the 2023 Annual Report
- Digi Communications NV announces Investors Call for the presentation of the Q1 2024 Financial Results
- Digi Communications intends to propose to shareholders the distribution of dividends for the fiscal year 2023 at the upcoming General Meeting of Shareholders, which shall take place in June 2024
- Digi Communications N.V. announces the availability of the Romanian version of the 2023 Annual Report
- Digi Communications N.V. announces the availability of the 2023 Annual Report
- International Airlines Group adopts Airline Economics by Skailark ↗️
- BevZero Spain Enhances Sustainability Efforts with Installation of Solar Panels at Production Facility
- Digi Communications N.V. announces share transaction made by an Executive Director of the Company with class B shares
- BevZero South Africa Achieves FSSC 22000 Food Safety Certification
- Digi Communications N.V.: Digi Spain Enters Agreement to Sell FTTH Network to International Investors for Up to EUR 750 Million
- Patients as Partners® Europe Announces the Launch of 8th Annual Meeting with 2024 Keynotes and Topics
- driveMybox continues its international expansion: Hungary as a new strategic location
- Monesave introduces Socialised budgeting: Meet the app quietly revolutionising how users budget
- Digi Communications NV announces the release of the 2023 Preliminary Financial Results
- Digi Communications NV announces Investors Call for the presentation of the 2023 Preliminary Financial Results
- Lensa, един от най-ценените търговци на оптика в Румъния, пристига в България. Първият шоурум е открит в София
- Criando o futuro: desenvolvimento da AENO no mercado de consumo em Portugal
- Digi Communications N.V. Announces the release of the Financial Calendar for 2024
- Customer Data Platform Industry Attracts New Participants: CDP Institute Report
- eCarsTrade annonce Dirk Van Roost au poste de Directeur Administratif et Financier: une décision stratégique pour la croissance à venir
- BevZero Announces Strategic Partnership with TOMSA Desil to Distribute equipment for sustainability in the wine industry, as well as the development of Next-Gen Dealcoholization technology
- Digi Communications N.V. announces share transaction made by a Non-Executive Director of the Company with class B shares
- Digi Spain Telecom, the subsidiary of Digi Communications NV in Spain, has concluded a spectrum transfer agreement for the purchase of spectrum licenses
- Эксперт по торговле акциями Сергей Левин запускает онлайн-мастер-класс по торговле сырьевыми товарами и хеджированию
- Digi Communications N.V. announces the conclusion by Company’s Portuguese subsidiary of a framework agreement for spectrum usage rights
- North Texas Couple Completes Dream Purchase of Ouray’s Iconic Beaumont Hotel
- Предприниматель и филантроп Михаил Пелег подчеркнул важность саммита ООН по Целям устойчивого развития 2023 года в Нью-Йорке
- Digi Communications NV announces the release of the Q3 2023 Financial Results
- IQ Biozoom Innovates Non-Invasive Self-Testing, Empowering People to Self-Monitor with Laboratory Precision at Home
- BevZero Introduces Energy Saving Tank Insulation System to Europe under name “BevClad”
- Motorvision Group reduces localization costs using AI dubbing thanks to partnering with Dubformer
- Digi Communications NV Announces Investors Call for the Q3 2023 Financial Results
- Jifiti Granted Electronic Money Institution (EMI) License in Europe
- Предприниматель Михаил Пелег выступил в защиту образования и грамотности на мероприятии ЮНЕСКО, посвящённом Международному дню грамотности
- VRG Components Welcomes New Austrian Independent Agent
- Digi Communications N.V. announces that Digi Spain Telecom S.L.U., its subsidiary in Spain, and abrdn plc have completed the first investment within the transaction having as subject matter the financing of the roll out of a Fibre-to-the-Home (“FTTH”) network in Andalusia, Spain
- Продюсер Михаил Пелег, как сообщается, работает над новым сериалом с участием крупной голливудской актрисы
- Double digit growth in global hospitality industry for Q4 2023
- ITC Deploys Traffic Management Solution in Peachtree Corners, Launches into United States Market
- Cyviz onthult nieuwe TEMPEST dynamische controlekamer in Benelux, Nederland
- EU-Funded CommuniCity Launches its Second Open Call
- Astrologia pode dar pistas sobre a separação de Sophie Turner e Joe Jonas
- La astrología puede señalar las razones de la separación de Sophie Turner y Joe Jonas
- Empowering Europe against infectious diseases: innovative framework to tackle climate-driven health risks
- Montachem International Enters Compostable Materials Market with Seaweed Resins Company Loliware
- Digi Communications N.V. announces that its Belgian affiliated companies are moving ahead with their operations
- Digi Communications N.V. announces the exercise of conditional share options by an executive director of the Company, for the year 2022, as approved by the Company’s Ordinary General Shareholders’ Meeting from 18 May 2021
- Digi Communications N.V. announces the availability of the instruction regarding the payment of share dividend for the 2022 financial year
- Digi Communications N.V. announces the availability of the 2022 Annual Report
- Digi Communications N.V. announces the general shareholders’ meeting resolutions from 18 August 2023 approving amongst others, the 2022 Annual Accounts
- Русские эмигранты усиливают призывы «Я хочу, чтобы вы жили» через искусство
- BevZero Introduces State-of-the-Art Mobile Flash Pasteurization Unit to Enhance Non-Alcoholic Beverage Stability at South Africa Facility
- Russian Emigrés Amplify Pleas of “I Want You to Live” through Art
- Digi Communications NV announces the release of H1 2023 Financial Results
- Digi Communications NV Announces Investors Call for the H1 2023 Financial Results
- Digi Communications N.V. announces the convocation of the Company’s general shareholders meeting for 18 August 2023 for the approval of, among others, the 2022 Annual Report
- “Art Is Our Weapon”: Artists in Exile Deploy Their Talents in Support of Peace, Justice for Ukraine
- Digi Communications N.V. announces the availability of the 2022 Annual Financial Report
- “AmsEindShuttle” nuevo servicio de transporte que conecta el aeropuerto de Eindhoven y Ámsterdam
- Un nuovo servizio navetta “AmsEindShuttle” collega l’aeroporto di Eindhoven ad Amsterdam
- Digi Communications N.V. announces the conclusion of an amendment agreement to the Facility Agreement dated 26 July 2021, by the Company’s Spanish subsidiary
- Digi Communications N.V. announces an amendment of the Company’s 2023 financial calendar
- iGulu F1: Brewing Evolution Unleashed
- Почему интерактивная «Карта мира» собрала ключевые антивоенные сообщества россиян по всему миру и становится для них важнейшим инструментом
- Hajj Minister meets EU ambassadors to Saudi Arabia
- Online Organizing Platform “Map of Peace” Emerges as Key Tool for Diaspora Activists
- Digi Communications N.V. announces that conditional stock options were granted to executive directors of the Company based on the general shareholders’ meeting approval from 18 May 2021
- Digi Communications N.V. announces the release of the Q1 2023 financial results
- AMBROSIA – A MULTIPLEXED PLASMO-PHOTONIC BIOSENSING PLATFORM FOR RAPID AND INTELLIGENT SEPSIS DIAGNOSIS AT THE POINT-OF-CARE
- Digi Communications NV announces Investors Call for the Q1 2023 Financial Results presentation
- Digi Communications N.V. announces the amendment of the Company’s 2023 financial calendar
- Digi Communications N.V. announces the conclusion of two Facilities Agreements by the Company’s Romanian subsidiary
- Digi Communications N.V. announces the conclusion of a Senior Facility Agreement by the Company’s Romanian subsidiary
- Patients as Partners Europe Returns to London and Announces Agenda Highlights
- GRETE PROJECT RESULTS PRESENTED TO TEXTILE INDUSTRY STAKEHOLDERS AT INTERNATIONAL CELLULOSE FIBRES CONFERENCE
- Digi Communications N.V. announces Digi Spain Telecom S.L.U., its subsidiary in Spain, entered into an investment agreement with abrdn to finance the roll out of a Fibre-to-the-Home (FTTH) network in Andalusia, Spain
- XSpline SPA / University of Linz (Austria): the first patient has been enrolled in the international multicenter clinical study for the Cardiac Resynchronization Therapy DeliveRy guided by non-Invasive electrical and VEnous anatomy assessment (CRT-DRIVE)
- Franklin Junction Expands Host Kitchen® Network To Europe with Digital Food Hall Pioneer Casper
- Unihertz a dévoilé un nouveau smartphone distinctif, Luna, au MWC 2023 de Barcelone
- Unihertz Brachte ein Neues, Markantes Smartphone, Luna, auf dem MWC 2023 in Barcelona
- Editor's pick archive....