Sofacy APT Adopts New Tactics and Far East Targets

CANCUN, Mexico – A new analysis of the Russian-speaking Sofacy APT gang shows a continual march toward Far East targets and overlapping of activities with other groups such as Lamberts, Turla and Danti.

Researchers at Kaspersky Lab this morning at its Security Analyst Summit, released their update on Sofacy, also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report shows how Sofacy is continuing to evolve in 2018.

Most intriguing to researchers is the overlap between Sofacy and the English-speaking threat actor behind the Lamberts, also known as Longhorn. Researchers made the discovery connecting the two APTs when the presence of Sofacy was found on a server in China belonging to a company with ties to the aerospace and defense industry. The server was previously identified as compromised by Grey Lambert malware.

In this case, Sofacy’s SPLM (aka Xagent, aka CHOPSTICK) tool was found on the server, but it’s unclear what tactics were used by the APT to plant the malware. Researchers theorize a PowerShell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.

The samples of SPLM that researchers examined demonstrate how Sofacy now maintains “distinct subdivisions for each of its main tools, with clusters for the coding, development and targeting of SPLM, GAMEFISH, and Zebrocy,” according to Kaspersky researchers.

“The unusual thing about what happened with the SPLM is that in 2018, we’re seeing them break out their modules. Whether it is file stealers, remote shells, or key loggers, we are seeing more individual modules being deployed onto systems,” said Kurt Baumgartner, a researcher with Kaspersky Lab’s Global Research and Analysis Team.

“They are beginning to shift to chunks and pieces of modules and we are seeing a lot of .Net and Power Shell malware activity from these guys,” Baumgartner said.

Sofacy’s roots go back to around 2007, Kaspersky researchers said, and has changed its strategy a number of times, notably in 2009 and 2011.

“In all likelihood, they noticed in 2017 that targets they were attempting to deploy this full back door (SMLP/Xagent) to, was simply not effective anymore,” Baumgartner said. “The Xagent code base is pretty well known. When you look at the 2016 DNC hack, they took that same code base and made a few changes to the encryption cyphers to hide away settings such as domains, IP addresses, debug messages and file pads. That code modification didn’t hide (SPLM) from malware tools. So it isn’t really effective in getting what they wanted anymore.”

Baumgartner said he expects to Sofacy to continue its pivot to the Far East in 2018 along with decreased reliance on C++ code in exchange for more .NET and PowerShell scripts.