The researchers of ESET announced that they had proceeded with the gradual publication of an extensive research work of 3 sections entitled "En-Route with Sednit". Sednit, a notorious cybercriminal group - also known as APT28, Fancy Bear and Sofacy - has been operating since 2004, mainly seeking to steal confidential information from specific targets.
- The 1ο Part: «En Route With Sednit: Approaching the Target» focuses on the goals of phishing campaigns, the attack methods used, and the first malware stage called SEDUPLOADER, consisting of a dropper and its associated load.
- The 2ο Part: «En Route With Sednit: Observing the Comings and Goings» has been covering Sednit's activities since 2014 and studying the toolcase espionage tool used for long-term monitoring of compromised computers through the two backdoors (SEDRECO and XAGENT), as well as the XTUNNEL network tool.
- The 3ο Part: «En Route With Sednit: A mysterious Downloader» describes the first stage software called DOWNDELPH, which according to ESET telemetry data has been used only seven times. It is worth noting that in some of these uses advanced methods of stay were used: Windows bootkit and Windows rootkit.
"Her lasting interest ESET for these malicious activities arose from detecting an impressive number of custom software developed by the group "for the last two years," he said Alexis Dorais-Joncas, head of the group ESET Security market, which is responsible for its investigation mystery hidden behind the group Sednit.
"The team's weapons is constantly evolving. The team uses brand new software and techniques on a regular basis, and their flagship malware has evolved significantly in recent years. ”
According to ESET researchers, data collected from Sednit's phishing campaigns show that more than 1.000 high-profile individuals involved in Eastern European policy were attacked. "In addition, the team Sednit, unlike any other espionage team, she developed her own exploit Kit and developed a surprisingly high number 0-days exploits", She concluded Dorais-Joncas.
In recent years, the group's high-profile activities have attracted the interest of many researchers in the field. Consequently, the intended contribution of this paper is to provide a readable technique description, with tightly clustered IOCs (Indicators of Compromise), readily available to both researchers and those tasked with analyzing the Sednit team's detections.
All three parts of the survey are stored in the account GitHub of ESET.
For more information, stakeholders can visit ESET's WeLiveSecurity.com portal where the introductory blogpost for 1 is availableο Part 1, 2ο Part & the 3ο Part or search each one separately in its full form:
1ο Part: «En Route with Sitting: Approaching the Target »
2ο Part: «En Route with Sitting: Observing the Comings and Goings »
3ο Part: «En Route with Sitting: A Mysterious Downloader »
Η ESET will also issue a summary of all parties to the WeLiveSecurity.com.
