Monday, October 14, 2024
HomeMalwareRussian APT28 Hacking Group Tracked Using a Variant X-Agent Delivering Via JPG...

Russian APT28 Hacking Group Tracked Using a Variant X-Agent Delivering Via JPG File

Published on

Malware protection

Security researchers from Z-Lab at CSE Cybsec observed series of malware submitted to the online sandbox and a sample submitted to Virus Total that was attributed by some experts to the Russian APT28 group.

The APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium) active since 2007 and they involved in various attacks including the 2016 Presidential election.

Researchers from Z-Lab along with researcher with twitter handle @DrunkBinary obtained a collection of samples that appear to be the new version of APT28 backdoor tracked as X-Agent.

- Advertisement - SIEM as a Service

APT28 Group – Multi-stage Attack

The attack appears to be multi-stage one, it first drops an initial dropper malware that written in Delphi programming language and the second one is the payload downloaded from the Internet.

APT28 group

To avoid eavesdropping connection to the server made through HTTPS protocol and the hacker group having C2C servers in Europe and another one in China.

The malware connected with command and control with the name marina-info[.]net that refers to the Italian Military corp, Marina Militare.

Same Malware Behind the Samples

Researchers uncovered four samples used in the campaign and all the four appears to be the same malware sample. The sample contains two files “.lnk” file and a “jpg” file.

But the jpg file is executable, once it executed it connects with IP 45.124.132.127 and periodically send operating system details.

Once it information sent to the C2 server it drops another file “upnphost[.]exe” which is the final payload.

This file was retrieved from the threat intelligence platforms and was flagged as an APT28 sample. Another characteristic in common is the Delphi programming language which is rare to find a malware written in Delphi language.

Here you can find the analysis Analysis report, IoCs and Yara Rules.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

pac4j Java Framework Vulnerable to RCE Attacks

A critical security vulnerability has been discovered in the popular Java framework pac4j. The...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...