ESET researchers break down latest arsenal of the infamous Sednit (aka Fancy Bear) group

Next story

MONTREAL, BRATISLAVA – Researchers at the ESET R&D center in Montreal have just published findings on their latest investigation into the infamous Sednit Group. For several years, the Advanced Persistent Threat (APT) group Sednit (also known as APT28, Fancy Bear, Sofacy or STRONTIUM) has been attacking targets in Europe, Central Asia and the Middle East. Since then, the number and diversity of component tools has increased drastically.

As part of this discovery, ESET looked at Sednit’s backdoor Zebrocy, the capabilities of which have now increased thanks to the ability to issue more than 30 different commands to compromised computers and gather considerable amounts of information about the target.

Zebrocy finishes its work rapidly as well:  Once the backdoor sends basic information about its newly compromised system, the operators take control of the backdoor and start to send commands right away. Hence, the time between the victim running the downloader and the operators' first commands spans only a few minutes.

At the end of August 2018, the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered first stage Zebrocy components. “However, it is unusual for the group to use this technique to deliver one of its malware components directly. Previously, it had used exploits to deliver and execute the first stage malware, while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain,” explains Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET R&D center in Montreal.

Twenty clicks were recorded by the URL shortening service, however the overall number of victims is impossible to estimate. “Unfortunately, without the email message, we don't know if there are instructions issued to the user either, if there is any further social engineering, or if it relies solely on the victim's curiosity. The archive contains two files; the first is an executable file, while the second is a decoy PDF document,” adds Dorais-Joncas. First commands gather information about the victim's computer and environment, other commands are used to retrieve files from the computer if the operators become aware of the presence of interesting files on the machine.

“The detection ratio is definitely lower in comparison to the usual backdoors. The very short time frame during which this backdoor is on the system and operating makes it harder to retrieve. Once its operators complete their evil deeds, they quickly remove it,” says Alexis Dorais-Joncas as he highlights the fast acting nature of this backdoor.

Read the latest research into Sednit and Zebrocy on Additionally, a few months ago, ESET unveiled the existence of a UEFI rootkit, called LoJax, which we attribute to the Sednit group. This is a first for an APT group and shows Sednit has access to very sophisticated tools to conduct its espionage operations.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit or follow us on LinkedIn, Facebook and Twitter.