2 min

Security researchers at ESET’s R&D center in Montreal have discovered how the well-known hacker group Fancy Bear – also known as Sednit, APT28, Sofacy and STRONTIUM – operates. According to the investigators, the hackers use a back door called Zebrocy.

The Advanced Persistent Threat (APT) group Sednit has attacked various targets in Europe, Central Asia and the Middle East in recent years. Since then, according to the researchers, they have used more and more diverse component tools.

The back door Zebrocy, for example, which was investigated by the security researchers, has been given more possibilities. Zebrocy can now send over thirty different commands to compromised computers. In addition, it can collect large amounts of information about the target.

According to the researchers of the Slovak security specialist, Zebrocy is completing its work quickly. As soon as the back door transmits basic information about the system it was able to damage, operators take control of the back door. After that, commands are sent immediately. As a result, there is only a few minutes between the victim’s run of the downloader and the operator’s first commands.

Phishing campaign

At the end of August 2018, the Sednit Group launched a spear phising campaign in which it distributed shortened URLs that delivered first-stage Zebrocy components. However, according to Alexis Dorais-Joncas, Security Intelligence Team Lead at the ESET R&D centre in Montreal, it is unusual for the group to use this technique.

“Previously, it used exploits to deliver and execute first-stage malware. ESET has seen at least twenty clicks on the malicious link, but according to the company it is difficult to estimate the total number of victims.

“Without the e-mail message we do not know if instructions are given to the user. We also don’t know whether there is any further social engineering, or whether it relies entirely on the curiosity of the victim,” says Dorais-Joncas.

“The archive contains two files. The first commands collect information about the victim’s computer and environment. Other commands are used to retrieve files from the computers when the operators are notified of the presence of interesting files on the machine. “There is a very short time when the back door is on and running on the system, making it more difficult to detect it. As soon as the operators are done with their evil deeds, they quickly remove it.”

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.