Researchers at Cylance analyzed a new implant developed by the cybercrime group Fancy Bear (also known as APT28). The new backdoor that launched the Fancy Bear is created with the goal of defeating defense based on AI and machine learning.
According to the researchers, the criminals removed most of the malicious functions from their original backdoor, hiding it in a huge amount of legitimate code.The implant is a multi-threaded DLL-library, which provides the grouping full access to the target system and control over it.
“Analysis reveals the implant is a multi-threaded DLL backdoor that gives the threat actor (TA) full access to, and control of, the target host. When commanded by C2, the implant can upload or download files, create processes, interact with the host via a command shell and connect to C2 according to a defined sleep/activity schedule”, — report Cylance specialists.
This approach demonstrates the sophisticated work of cybercriminals. The authors of the implant mask it using such well-known libraries as OpenSSL and the widely used POCO C++ compiler, as a result of which 99% of more than 3 megabytes of code are classified as legitimate. In this way, attackers try to get around evolving security systems, experts suggest.
“Since the file is packaged as a DLL, the intention would be to inject it into a long-running process that is granted Internet access (such as a NetSvc service group) or one having local firewall permissions. We do not believe this DLL is intended to operate as a module for a larger tool”, — conclude Cylance researchers.
In the past, cybercriminals used various methods of evading computer protection systems, most often they included encrypting parts of a file to prevent antivirus detection. In addition, cybercriminals used domain generation algorithms to subsequently download code from hard-to-reach locations, bypassing antivirus scans.
Masking malware as legitimate code is an old cybercriminal technique. Cheating is a key part of their toolkit, but convincing machine learning algorithms designed to detect malicious code functions is much more difficult.
Read also: Despite the venerable age of 9 years, China Chopper backdoor is still effective
APT28 has been operating since at least 2007 and now specializes in stealing confidential information related to government and military structures. APT28 systematically develops its malware and uses sophisticated coding methods that complicate the analysis of its malware.