Fancy Bear continues to spy in 2017, ESET researchers report

Next story

Since 2004, ESET, a global leader in information security, has been committed to tracking Fancy Bear (also known as Sednit or APT28) – one of the most notorious cyber espionage groups in the world. A year after we brought forward the most comprehensive whitepaper on the activities of this group, ESET researchers have uncovered a new version of Fancy Bear’s flagship malware, Xagent, proving the group remains very active in 2017, and will continue to be in 2018.

Targeted tracking

Throughout tracking the group’s activity, ESET has identified that Fancy Bear’s main objective has been the theft of confidential information from specific, high-profile targets. The most notable alleged targets over the past few years include the likes of the French television network TV5Monde in April 2015, the German Parliament a month later, and the American Democratic National Committee (DNC) in March 2016.

When targeting individuals or groups, Fancy Bear uses two main attack methods to deploy its malicious software – typically persuading someone to open an email attachment, or directing an individual to a website that contains a custom exploit kit as the result of a phishing email. Once the group identifies an interesting target, it deploys its espionage toolkit, delivering long-term monitoring of compromised devices. Xagent is one of two backdoors delivered via this method and leveraged for spying.

“Xagent is an extremely well-designed backdoor and, over the past few years, has become Sednit’s flagship espionage malware,” said ESET Security Intelligence Team LeadAlexis Dorais-Joncas. “With its ability to communicate over HTTP or through email, we have seen this modular backdoor used heavily across the group’s operations.”

An ever-evolving threat

In 2017, ESET discovered a new version of Xagent for Windows. As ESET reveals, Version 4 of Xagent comes with new techniques for string obfuscation and shows the feature that all run-time type information is also obfuscated. These techniques significantly improve the way in which strings are encrypted via methods unique to each binary.

“The techniques added to the backdoor - encryption and the Domain Generation Algorithm (DGA) -  make our job of reversing harder,“ explained Senior Malware Researcher Jean-Ian Boutin from ESET,. “It takes a lot of time to takeover or shutdown a domain when you have to deal with more than one.“ 

The addition of new features and compatibility with all major platforms – Windows, Linux, Android and OS – makes Xagent the core backdoor used by Fancy Bear today. 

“It’s clear that the Fancy Bear group is still very active; continually evolving and growing in sophistication,” continued Dorais-Joncas. “This new version of Xagent is incredibly interesting and complex. We can now hypothesize that Sednit has added another layer to check in on its targets by dropping Xagent with just a few modules, and if the victim is interesting enough, the group can then drop another version with all the modules. It just demonstrates how determined the group is in its efforts to continually target high-profile organizations and institutions across the world.”

If you’re interested in reading more about ESET’s research on Fancy Bear and how the group has developed over the past few years, please read our latest blog here.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defences in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit or follow us on LinkedInFacebook and Twitter.

Media Contact:

Veronica Bart, Veritas Communications