, a global leader in information security, has been committed to tracking Fancy Bear (also known as Sednit or APT28) – one of the most notorious cyberespionage groups in the world. A year after we brought forward the most comprehensive whitepaper on the activities of this group, ESET researchers have uncovered a new version of Fancy Bear’s flagship malware, Xagent, proving the group remains very active in 2017, and will continue to be in 2018.
Throughout
, ESET has confirmed that Fancy Bear’s main objective has been the theft of confidential information from specific, high-profile targets. The alleged targets over the past few years include the French television network TV5Monde in April 2015, the German Parliament a month later, and the American Democratic National Committee (DNC) in March 2016.When targeting individuals or groups, Fancy Bear uses two main attack methods to deploy its malicious software – typically persuading someone to open an email attachment, or directing an individual to a website that contains a custom exploit kit as the result of a phishing email. Once the group identifies an interesting target, it deploys its espionage toolkit, delivering long-term monitoring of compromised devices. Xagent is one of two backdoors delivered via this method and leveraged for spying.
“Xagent is an extremely well-designed backdoor and, over the past few years, has become Sednit’s flagship espionage malware,” said Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET. “With its ability to communicate over HTTP or through email, we have seen this modular backdoor used extensively across the group’s operations.”
In 2017, ESET discovered a new version of Xagent for Windows. As ESET reveals, Version 4 of Xagent comes with new techniques for string obfuscation and shows the feature that all run-time type information is also obfuscated. These techniques significantly improve the way in which strings are encrypted via methods unique to each binary.
“The techniques added to the backdoor - encryption and the Domain Generation Algorithm (DGA) - make our life harder,“ continued Dorais-Joncas. “The former makes the reversing more difficult while the latter makes domain takeover more challenging as there are more domains to takedown or seize.“
The addition of new features and compatibility with all major platforms – Windows, Linux, Android and OS – makes Xagent the core backdoor used by Fancy Bear today.
“It’s clear that the Fancy Bear group is still very active; continually evolving and growing in sophistication,” concluded Dorais-Joncas. “This new version of Xagent is incredibly interesting and complex. We can now hypothesize that Sednit has added another layer to check in on its targets by dropping Xagent with just a few modules, and if the victim is interesting enough, the group can then drop another version with all the modules. It just demonstrates how determined the group is in its efforts to continually target high-profile organizations and institutions across the world.”
If you would be interested in reading more about ESET’s research on Fancy Bear and how the group has developed over the past few years, please read our latest blog
.
Since 1987,
has been developing security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 200 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit or follow us on , and .