New Tools for Espionage Group
Tuesday, December 8, 2015 @ 05:12 PM gHale
A Russian espionage group is now using new, effective tools in their attacks against a myriad of targets, Kaspersky Lab researchers said.
The threat actor, known as Pawn Storm, Strontium, APT28, Sofacy, Sednit and Fancy Bear, has been actively targeting military, media, defense and government organizations from across the world since 2007, Kaspersky researchers said. Entities in NATO countries are the primary targets, but researchers just spotted an increase in attacks aimed at Ukraine.
Pawn Storm uses Zero Day exploits targeting Adobe Flash Player, Java, Microsoft Office and Windows in its operations, the researchers said. Attackers also leveraged a wide range of tools to achieve their goals, including backdoors such as SPLM (also known as Xagent and CHOPSTICK) and AZZY (aka ADVSTORESHELL, NETUI and EVILTOSS), and USB stealers designed for data theft from air-gapped systems. Other exploits called JHUHUGIT and JKEYSKW were also a part of the Pawn Storm assaults.
Up until August, Pawn Storm used Zero Day exploits to infect systems with JHUHUGIT and JKEYSKW first-stage implants. However, in August, Kaspersky Lab researchers spotted a new version of the AZZY Trojan, mainly used for reconnaissance, while investigating a wave of attacks aimed at defense organizations. Experts said the campaign was still ongoing in November.
The new AZZY, most recently seen in an October attack, ended up delivered by another piece of malware instead of a Zero Day exploit. An analysis of the threat revealed that unlike previous variants, the new AZZY backdoor has been using an external library for command and control (C&C) communications.
“In the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularization follows the same line of thinking,” Kaspersky researchers said in a blog post.
Pawn Storm also updated its data theft tools. The spy group’s USB stealer modules, used for stealing data from isolated networks, first updated in February this year and the latest versions ended up compiled in May, Kaspersky said.