Her researchers ESET announced that they have proceeded with the scaled version of an extensive 3-part research paper entitled "En-Route with Sednit". Sednit, a notorious cyber-criminal group – also known as APT28, Fancy Bear and Sofacy, has been operating since 2004, mainly pursuing theft confidential information from specific targets.
- The 1ο Part: «En Route With Sednit: Approaching the Target» focuses on the goals of phishing campaigns, the attack methods used, and the first malware stage called SEDUPLOADER, consisting of a dropper and its associated load.
- The 2ο Part: «En Route With Sednit: Observing the Comings and Goings» covers Sednit activities since 2014 and studies the espionage toolbox used for the long-term monitoring of compromised computers through the two backdoors (SEDRECO and XAGENT), as well as the XTUNNEL network tool.
- The 3ο Part: «En Route With Sednit: A mysterious Downloader» περιγράφει το λογισμικό first stage που ονομάζεται DOWNDELPH, το οποίο, σύμφωνα με τα στοιχεία της τηλεμετρίας της ESET έχει χρησιμοποιηθεί μόνο επτά φορές. Αξίζει να σημειωθεί ότι σε ορισμένες από αυτές τις χρήσεις εφαρμόστηκαν προηγμένες μέθοδοι παραμονής: Windows bootkit and Windows rootkits.
"Her lasting interest ESET for these malicious activities arose from detecting an impressive number of custom software developed by the group "for the last two years," he said Alexis Dorais-Joncas, head of the group ESET Security market, which is responsible for its investigation mystery hidden behind the group Sednit.
"The team's weapons is constantly evolving. The team uses brand new software and techniques on a regular basis, and their flagship malware has evolved significantly in recent years. ”
According to ESET researchers, data collected from Sednit's phishing campaigns show that more than 1.000 high-profile individuals involved in Eastern European policy were attacked. "In addition, the team Sednit, unlike any other espionage team, she developed her own exploit Kit and developed a surprisingly high number 0-days exploits", She concluded Dorais-Joncas.
In recent years, the group's high-profile activities have attracted the interest of many researchers in the field. Consequently, the intended contribution of this paper is to provide a readable technique description, with tightly clustered IOCs (Indicators of Compromise), readily available to both researchers and those tasked with analyzing the Sednit team's detections.
All three parts of the survey are stored in the account GitHub of ESET.
For more information, stakeholders can visit ESET's WeLiveSecurity.com portal where the introductory blogpost for 1 is availableο Part 1, 2ο Part & the 3ο Part or search each one separately in its full form:
1ο Part: «En Route with Sitting: Approaching the Target »
2ο Part: «En Route with Sitting: Observing the Comings and Goings »
3ο Part: «En Route with Sitting: A Mysterious Downloader »
Η ESET will also issue a summary of all parties to the WeLiveSecurity.com.
