SOFACY in Poland APT28

SOFACY in Poland

In Uncategorized by Jeff Pelliccio

SOFACY is Russian backed advanced persistent threat group (APT) also known at APT28 / Fancy Bear who has been operating since 2008. Fancy Bear typically targets government, defense, energy, media, and aerospace organizations globally. In the first half of 2018 and latter part of 2017, the group has been particularity active. 

Recently Hexcapes observed some samples in the wild targeting Poland. The samples are a part of SOFACY’s core toolkit named X-Agent and X-Tunnel. The notable difference in these samples is that in this instance the tools are coded in .NET. 

To review SOFACY’s X-Agent allows keylogging, transmission of files and remote code execution. The X-Tunnel component is their tunneling tool which allows connections to network address translated environments and used to hide the C&C activity over an encrypted channel. After a quick look into the samples Hexcapes determined network callouts to be; 

  • picturecrawling[.]com
  • popdancestream[.]com
  • webchartzone[.]com

IOC’s

8dbe37dfb0d498f96fb7f1e09e9e5c8f : SOFACY X-TUNNEL :  gpu.dll

fc0cb1dbab4bc6504e644f311d9bb4a1:  SOFACY X-AGENT : msoutlook.dll

d891c9374ccb2a4cae2274179e8644d8:  SOFACY X-AGENT : mscas.dll