January 15, 2019

Incident Report: #28.

Perception Point Incident Response Team

What is Fancy Bear?

APT28, a highly advanced attack also known as Fancy Bear, is associated with the Russian military intelligence agency GRU. Recently, The NATO organization was targeted by APT28 using a spear phishing technique that leverages emails with a malicious document attached. The attack is designed to first drop a malicious component, which is an indicator of the APT28 technique.

A look under the hood.

Perception Point’s platform is uniquely able to x-ray this technique at a level that sandboxes or CDR’s can’t, so we passed it through our system in order to understand its inner workings. Our technology recorded the full execution flow, before the attack could be masked, and identified attempts to execute payloads. Below is a detailed analysis of the attack and the damage it could have inflicted. The key actions of Fancy Bear include:

  • An attempt to evade AVs by using several advanced techniques.
  • An attempt to run malware in the form of an executable file.

Attachment Analysis.

  1. Docx files are basically zip files with multiple xmls by design. In this attack, Perception Point’s engines identified malicious activity consisting of the following stages: The first stage is a docx file with an embedded VBA script that decoded a base64 payload from an xml file. The second stage is creating persistence on the end-user’s system and executing the payload. The docx file as viewed by Perception Point’s platform
  2. In the first stage Perception Point platform extracted a VBA script from the file. Once this script was analyzed, an interesting way to execute the payload was detected in the one of the xmls (app.xml) that is used by Microsoft Word, and the payload was decoded from base64 encoding. The function that decode the execute file from one of the xml. The xml with the payload encoded in base64 Decode the base64 encryption we can find the MZ
  3. In the second stage, the VBA script saved the executed files in the autorun folders %APPDATA%\Uplist.dat and %ALLUSERSPROFILE%\UpdaterUI.dll: The parts of the script that save the payload
  4. The script continues and creates persistence by using a WMI service and the registry. The WMI service, is configuring rundll32.exe to eventually load %APPDATA%\Uplist.dat by default after the machine is rebooted. The registry is configured to use a predefined key called ”HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UIMgr” and replaces its value with “%ALLUSERSPROFILE%\UpdaterUI.dll”. In the final wscript shell, the command line to execute the malware (after removing the obfuscation) is: c:\windows\system32\rundll32.exe %ALLUSERSPROFILE%\UpdaterUI.dll The persistence has been setted

Executable File Analysis.

    1. As part of the analysis, we scanned the file in VirusTotal to see if this dll is known in the industry. We found out that the file is already known and identified as “Trojan.Sofacy​​” in the VirusTotal engines: File hash: 0a842c40cdbbbc2bf5a6513e39a2bd8ea266f914ac93c958fda8c0d0048c4f94
    2. We found that the malicious dll is trying to communicate with a C2 server using HTTP to 185[.]99[.]133[.]72 and waiting for new commands to execute. The HTTP connection the dll makes with the C2
    3. In order to evade AV and endpoint protection the malicious dll uses sleep function to go under the radar.

The Sleep function to evade AV detection


This attack is very sophisticated, which is common to techniques used at the nation-state level. If leveraged against a private enterprise with the typical security solutions, it very likely could have had great impact as it is as it was well-disguised and very effective once released. Our platform can detect this thanks to our ability to unpack multiple layers combined with our HAP (Hardware-Assisted Platform), which sees attacks at the initial stage of code execution. To learn more about our technology, Click Here

Want to know more?

Contact Us.

Link has been copied to your clipboard!