APT281, a highly advanced attack also known as Fancy Bear2, is associated with the Russian military intelligence agency GRU3. Recently, The NATO organization4 was targeted by APT28 using a spear phishing technique that leverages emails with a malicious document attached. The attack is designed to first drop a malicious component, which is an indicator of the APT28 technique. This post is based on Emanuele De Lucia’s5 discovery.
Perception Point’s platform is uniquely able to x-ray this technique at a level that sandboxes or CDR’s can’t, so we passed it through our system in order to understand its inner workings. Our technology recorded the full execution flow, before the attack could be masked, and identified attempts to execute payloads.
Below is a detailed analysis of the attack and the damage it could have inflicted.
The key actions of Fancy Bear include:
The docx file as viewed by Perception Point’s platform
The function that decode the execute file from one of the xml.
The xml with the payload encoded in base64.
Decode the base64 encryption we can find the MZ
The parts of the script that save the payload
File hash: 0a842c40cdbbbc2bf5a6513e39a2bd8ea266f914ac93c958fda8c0d0048c4f94
The HTTP connection the dll makes with the C2
The Sleep function to evade AV detection
This attack is very sophisticated, which is common to techniques used at the nation-state level. If leveraged against a private enterprise with the typical security solutions, it very likely could have had great impact as it is as it was well-disguised and very effective once released.
Our platform can detect this thanks to our ability to unpack multiple layers combined with our HAP (Hardware-Assisted Platform), which sees attacks at the initial stage of code execution.
Learn more about our technology
[ 1 ] : https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf
[ 2 ] : https://en.wikipedia.org/wiki/Fancy_Bear
[ 3 ] : https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
[ 4 ] : https://www.emanueledelucia.net/apt28-targeting-military-institutions/
[ 5 ] : https://www.emanueledelucia.net/
Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file.
Over the years organizations have implemented multi-layered approaches to protect their email, due to the fact that no single solution has provided sufficient results.
In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.Show More