Her researchers ESET announced that they had proceeded with the gradual publication of an extensive research work of 3 sections entitled "En-Route with Sednit". Sednit, a notorious cybercriminal group - also known as APT28, Fancy Bear and Sofacy - has been operating since 2004, mainly seeking to steal confidential information from specific targets.
- The 1ο Part: «En Route With Sednit: Approaching the Target» focuses on campaign goals Phishing, the attack methods used and the first malware stage called SEDUPLOADER, which consists of a dropper and its associated payload.
- The 2ο Part: «En Route With Sednit: Observing the Comings and Goings» καλύπτει τις δραστηριότητες της Sednit από το 2014 και μελετά την εργαλειοθήκη κατασκοπείας που χρησιμοποιείται για τη μακροπρόθεσμη παρακολούθηση των παραβιασμένων υπολογιστών μέσω των δύο backdoors (SEDRECO και XAGENT), καθώς και το tool XTUNNEL network.
- The 3ο Part: «En Route With Sednit: A mysterious Downloader» περιγράφει το λογισμικό first stage που ονομάζεται DOWNDELPH, το οποίο, σύμφωνα με τα στοιχεία της τηλεμετρίας της ESET έχει χρησιμοποιηθεί μόνο επτά φορές. Αξίζει να σημειωθεί ότι σε ορισμένες από αυτές τις χρήσεις εφαρμόστηκαν προηγμένες μέθοδοι παραμονής: Windows bootkit και Windows rootkit.
"Her lasting interest ESET for these malicious activities arose from detecting an impressive number of custom software developed by the group "for the last two years," he said Alexis Dorais-Joncas, head of the group ESET Security market, which is responsible for its investigation mystery hidden behind the group Sednit.
"The team's weapons is constantly evolving. The team uses brand new software and techniques on a regular basis, and their flagship malware has evolved significantly in recent years. ”
According to ESET researchers, the data collected from the Sednit group's phishing campaigns show that over 1.000 high-profile individuals involved in Eastern European politics were attacked. "In addition, the team Sednit, unlike any other espionage team, she developed her own exploit Kit and developed a surprisingly high number 0-days exploits", She concluded Dorais-Joncas.
In recent years, the group's high profile activities have attracted the interest of many researchers in this field. Consequently, the intended contribution of this document is to provide a readable technical description, with strictly pooled IOC (Indicators of Compromise) indicators, readily available to both researchers and those in charge of analyzing Sednit's assays.
All three parts of the survey are stored in the account GitHub of ESET.
For more information, stakeholders can visit ESET's WeLiveSecurity.com portal where the introductory blogpost for 1 is availableο Part 1, 2ο Part & the 3ο Part or search each one separately in its full form:
1ο Part: «En Route with Sitting: Approaching the Target »
2ο Part: «En Route with Sitting: Observing the Comings and Goings »
3ο Part: «En Route with Sitting: A Mysterious Downloader »
Η ESET will also issue a summary of all parties to the WeLiveSecurity.com.