Fancy Bear continues to spy in 2017, ESET researchers report

ESET, a global leader in information security, has been committed to tracking Fancy Bear (also known as Sednit or APT28) – one of the most notorious cyberespionage groups in the world. A year after we brought forward the most comprehensive whitepaper on the activities of this group, ESET researchers have uncovered a new version of Fancy Bear’s flagship malware, Xagent, proving the group remains very active in 2017, and will continue to be in 2018.

Targeted tracking

Throughout tracking of the group’s activity, ESET has confirmed that Fancy Bear’s main objective has been the theft of confidential information from specific, high-profile targets. The alleged targets over the past few years include the French television network TV5Monde in April 2015, the German Parliament a month later, and the American Democratic National Committee (DNC) in March 2016.

When targeting individuals or groups, Fancy Bear uses two main attack methods to deploy its malicious software – typically persuading someone to open an email attachment, or directing an individual to a website that contains a custom exploit kit as the result of a phishing email. Once the group identifies an interesting target, it deploys its espionage toolkit, delivering long-term monitoring of compromised devices. Xagent is one of two backdoors delivered via this method and leveraged for spying.

“Xagent is an extremely well-designed backdoor and, over the past few years, has become Sednit’s flagship espionage malware,” said Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET. “With its ability to communicate over HTTP or through email, we have seen this modular backdoor used extensively across the group’s operations.”

An ever-evolving threat

In 2017, ESET discovered a new version of Xagent for Windows. As ESET reveals, Version 4 of Xagent comes with new techniques for string obfuscation and shows the feature that all run-time type information is also obfuscated. These techniques significantly improve the way in which strings are encrypted via methods unique to each binary.

“The techniques added to the backdoor - encryption and the Domain Generation Algorithm (DGA) - make our life harder,“ continued Dorais-Joncas. “The former makes the reversing more difficult while the latter makes domain takeover more challenging as there are more domains to takedown or seize.“

The addition of new features and compatibility with all major platforms – Windows, Linux, Android and OS – makes Xagent the core backdoor used by Fancy Bear today. 

“It’s clear that the Fancy Bear group is still very active; continually evolving and growing in sophistication,” concluded Dorais-Joncas. “This new version of Xagent is incredibly interesting and complex. We can now hypothesize that Sednit has added another layer to check in on its targets by dropping Xagent with just a few modules, and if the victim is interesting enough, the group can then drop another version with all the modules. It just demonstrates how determined the group is in its efforts to continually target high-profile organizations and institutions across the world.”

If you would be interested in reading more about ESET’s research on Fancy Bear and how the group has developed over the past few years, please read our latest blog here

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit or follow us on LinkedInFacebook and Twitter.