Advanced Attack Analysis

A Look Inside Fancy Bear.

By Uri Ahronovich
December 7, 2018

What is Fancy Bear?

APT281, a highly advanced attack also known as Fancy Bear2, is associated with the Russian military intelligence agency GRU3. Recently, The NATO organization4 was targeted by APT28 using a spear phishing technique that leverages emails with a malicious document attached. The attack is designed to first drop a malicious component, which is an indicator of the APT28 technique. This post is based on Emanuele De Lucia’s5 discovery.

A Look Under the Hood.

Perception Point’s platform is uniquely able to x-ray this technique at a level that sandboxes or CDR’s can’t, so we passed it through our system in order to understand its inner workings. Our technology recorded the full execution flow, before the attack could be masked, and identified attempts to execute payloads.

Below is a detailed analysis of the attack and the damage it could have inflicted.

The key actions of Fancy Bear include:

STAGE ONE

Attachment Analysis.

    1. Docx files are basically zip files with multiple xmls by design. In this attack, Perception Point’s engines identified malicious activity consisting of the following stages:The first stage is a docx file with an embedded VBA script that decoded a base64 payload from an xml file. The second stage is creating persistence on the end-user’s system and executing the payload.


      The docx file as viewed by Perception Point’s platform

    2. In the first stage Perception Point platform extracted a VBA script from the file. Once this script was analyzed, an interesting way to execute the payload was detected in the one of the xmls (app.xml) that is used by Microsoft Word, and the payload was decoded from base64 encoding.

      The function that decode the execute file from one of the xml.

      The xml with the payload encoded in base64.

      Decode the base64 encryption we can find the MZ

 

  1. In the second stage, the VBA script saved the executed files in the autorun folders %APPDATA%\Uplist.dat and %ALLUSERSPROFILE%\UpdaterUI.dll:

    The parts of the script that save the payload

  2. The script continues and creates persistence by using a WMI service and the registry.
    The WMI service, is configuring rundll32.exe to eventually load %APPDATA%\Uplist.dat by default after the machine is rebooted. The registry is configured to use a predefined key called ”HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UIMgr” and replaces its value with “%ALLUSERSPROFILE%\UpdaterUI.dll”. In the final wscript shell, the command line to execute the malware (after removing the obfuscation) is:
    c:\windows\system32\rundll32.exe %ALLUSERSPROFILE%\UpdaterUI.dllThe persistence has been setted

STAGE TWO

Executable File Analysis.

  1. As part of the analysis, we scanned the file in VirusTotal to see if this dll is known in the industry. We found out that the file is already known and identified as “Trojan.Sofacy​​” in the VirusTotal engines:

    File hash: 0a842c40cdbbbc2bf5a6513e39a2bd8ea266f914ac93c958fda8c0d0048c4f94

  2. We found that the malicious dll is trying to communicate with a C2 server using HTTP to 185[.]99[.]133[.]72 and waiting for new commands to execute.

    The HTTP connection the dll makes with the C2

  3. In order to evade AV and endpoint protection the malicious dll uses sleep function to go under the radar.

    The Sleep function to evade AV detection

Summary.

This attack is very sophisticated, which is common to techniques used at the nation-state level. If leveraged against a private enterprise with the typical security solutions, it very likely could have had great impact as it is as it was well-disguised and very effective once released.

Our platform can detect this thanks to our ability to unpack multiple layers combined with our HAP (Hardware-Assisted Platform), which sees attacks at the initial stage of code execution.
Learn more about our technology

Learn More

[ 1 ] : https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf
[ 2 ] : https://en.wikipedia.org/wiki/Fancy_Bear
[ 3 ] : https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
[ 4 ] : https://www.emanueledelucia.net/apt28-targeting-military-institutions/
[ 5 ] : https://www.emanueledelucia.net/

Share the joy
Stay a step ahead

Research & News.

Asset 5
Case Study

Case Study: Advanced Attack Analysis

Uri Ahronovich

Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file.

Asset 5
Article

Why Relays, AVs, & Sandboxes just aren’t enough anymore

By Jonathan Levy

Over the years organizations have implemented multi-layered approaches to protect their email, due to the fact that no single solution has provided sufficient results.

Asset 5
Research

Breaking CFI: Exploiting CVE-2015-5122 using COOP

By Oshri Sela & Shlomi Levin

In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.

Show More
Contact Us

Schedule a trial today.

Yes, I would like to receive email communications from Perception Point. I understand I can unsubscribe at any time.