The Sednit group — also known as Strontium, APT28,
Fancy Bear or Sofacy — is a group of attackers operating since 2004, if not
earlier, and whose main objective is to steal confidential information from
specific targets.
This article is a follow-up to ESET’s presentation
at BlueHat in November 2017. Late in 2016 we published a white paper covering Sednit activity between 2014 and 2016.
Since then, we have continued to actively track Sednit’s operations, and today
we are publishing a brief overview of what our tracking uncovered in terms of
the group’s activities and updates to their toolset. The first section covers
the update of their attack methodology: namely, the ways in which this group
tries to compromise their targets systems. The second section covers the
evolution of their tools, with a particular emphasis on a detailed analysis of
a new version of their flagship malware: Xagent.
The Campaigns
Over the past few years the Sednit group has used
various techniques to deploy their various components on targets computers. The
attack usually starts with an email containing either a malicious link or
malicious attachment. We have seen a shift in the methods they use ‘in the
course of the year’, though. Sedkit was their preferred attack vector in the
past, but that exploit kit has completely disappeared since late 2016. The DealersChoice exploit platform has been their preferred method
since the publication of our white paper, but we saw other methods being used
by this group, such as macros or the use of Microsoft Word Dynamic Data
Exchange.
The following three sections will describe the
different methods used by Sednit’s operator to gain an initial foothold on a
target system. Generally, these campaigns will try to install Seduploader on
the target system. Seduploader is a first stage backdoor that can be used to
assess the target’s importance and download additional malware. If the system
is indeed of interest to them, it is likely that Sednit’s operators will
eventually install Xagent on it.
Sedkit (Sednit Exploit Kit)
Sedkit was an exploit kit used exclusively by the
Sednit group. During its lifetime, Sednit leveraged vulnerabilities in various
persistently vulnerable applications, but mostly Adobe Flash and Internet
Explorer. When Sedkit was first discovered, potential victims were redirected to its landing
page through a watering-hole scheme. Following that campaign, their preferred
method consisted of malicious links embedded in emails sent to Sednit’s
targets.
Between August and September 2016, we saw several
different email campaigns trying to lure the recipients of their messages to a
Sedkit landing page. Sedkit’s targets at that time were mostly embassies, and
political parties in Central Europe. The next figure shows an email containing
such a URL.
The email tries to fool its recipient into
believing that the link will ultimately lead to an interesting news story. In
this case, the article is supposedly about an earthquake that struck near Rome
in August 2016. While the email impersonates someone the victim would consider
trustworthy, there are two major hints that could lead an attentive recipient
to conclude that this email is fake. The first one is that there are spelling
mistakes (e.g. “Greetigs!”). Spelling mistakes are common in malicious Sednit
mails. The second one is the URL’s domain part. It is a purely malicious domain,
but the path part of the URL actually mimics a real, legitimate link. In this
particular case, the URL path is the same as one used in a BBC story about this
earthquake. Again, this is a commonly-used Sednit tactic, using popular stories
found on legitimate news websites and redirecting targets that click on the
emailed URL to the real website, but not before visiting the Sedkit landing
page. Besides the BBC, The Huffington Post is another popular media outlet
whose stories they like to use as bait.
Firstly, the email’s subject and URL path are not
aligned: the former refers to Syria and Aleppo while the latter refers to WADA
and Russian hacking. Secondly, there are two glaring spelling mistakes. The
first one, is again the use of “Greetigs!” and the second one is “Unated
Nations”. Hopefully, someone working for the United Nations’ public relations
department would not have such a glaring error in their email signature block.
The last campaign using Sedkit was observed in
October 2016. It is interesting to note that the disappearance of Sedkit
follows a trend we have seen with other exploit kits. Most of these were
relying exploits for older versions of Internet Explorer and/or Flash to
perform drive-by downloads. The decline of the majority of exploit kit
operations during 2016, including Sednit, could well be attributable to the
code hardening performed by Microsoft and Adobe.
Full details of Sedkit’s inner workings can be
found in our previously published white paper.
DealersChoice
In August 2016, Palo Alto Networks blogged about a new platform used by Sednit to breach a system
initially. This platform, which they called DealersChoice, has the ability to
generate malicious documents with embedded Adobe Flash Player exploits. There
are two variants of this platform. The first one checks which Flash Player
version is installed on the system and then selects one of three different
vulnerabilities. The second variant will first contact a C&C server which
will deliver the selected exploit and the final malicious payload. Of course,
the second version is much harder to analyze, as the document delivered to the
targets does not contain all the pieces of the puzzle.
This platform is still in use today by Sednit and,
like Sedkit, tracks international news stories and includes a reference to them
in their malicious emails, in an attempt to lure the target into opening the
malicious document attachment. Sometimes, they also use other, non-political,
schemes. In December 2016, they used a rather unusual (for the group) lure:
This email was sent to multiple Ministries of
Foreign Affairs and embassies in Europe on December 22nd and 23rd, and
contained a Word document attachment that appeared to be a Christmas eCard.
Note that this was the first time that we saw the Sednit group use a
non-geopolitical phishing gambit attempting to trap their targets. Of course,
the Word document, if opened, uses DealersChoice to try to compromise the
system. Sednit used DealersChoice intensively in late 2016, but the platform
was not seen for a long time after that. In fact, the first time we saw them
use it in 2017 was in October.
The complete post can be found on