{"id":15117,"date":"2015-12-04T11:24:19","date_gmt":"2015-12-04T11:24:19","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=4882"},"modified":"2020-12-23T12:02:55","modified_gmt":"2020-12-23T17:02:55","slug":"sofacy-apt","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/sofacy-apt\/15117\/","title":{"rendered":"Sofacy new waves: billowing with new tricks"},"content":{"rendered":"

Do you work with government or military contractors? Or are YOU the contractor? Then be warned: the Sofacy targeted attack actor has scaled up its activities \u2013 and may be interested in your data.<\/em><\/p>\n

Sofacy<\/a> is a highly professional Russian-speaking threat actor, known for its daring attacks on government and military targets and active from circa 2008. Suspected of a connection with the notorious Miniduke<\/a> actors, Sofacy has been notable for its extensive use of 0-day exploits. As attacks are highly dynamic and Sofacy constantly switches targets in search of new victims, it\u2019s almost impossible to predict who, or even where in the world, their next victims may be.<\/p>\n

In the past, we\u2019ve seen victims of Sofacy in countries including Ukraine, France, Greece, UK, Jordan and Belgium. The group also has a history of targeting military contractors who sell to multiple NATO-group and other countries.<\/p>\n

Sofacy new waves: billowing with new tricks #APT<\/p>Tweet<\/a><\/blockquote>\n

This year, however, the plot of Sofacy\u2019s targeted attack development story has taken a new twist. The group has increased its activities almost tenfold \u2013 its activities providing a classic case study in just how far sophisticated attacks differ from the vast sea of \u2018mass-market\u2019 malware. True to their zero-day-wielding reputation, they used no fewer than five new exploits targeting Java, Flash and Microsoft Windows and Office.<\/p>\n

New features \u2013 new problems<\/h2>\n

First, in July 2015, Sofacy\u2019s authors dropped two completely new exploits \u2013 Microsoft Office and Oracle Java 0-days. Then in August, during a new wave of attacks focused on military-related targets, they developed a brand new version of their first-level implant, dubbed AZZY, which specifically aimed at high-profile victims.<\/p>\n

With critical targets like these in their sites, attackers watch closely over<\/strong> their ongoing espionage operations, <\/strong>reacting at high speed and with deadly efficiency to each defensive action on the part of their victims. In this instance, the appropriate signature, once deployed, continued statically detecting the AZZY malware for only<\/strong> an hour or so <\/strong>before this attack method was dropped. \u00a0<\/strong>By then, the attackers, working at extremely high speed, had already compiled a second x64 backdoor \u2013 which naturally avoided further detection by the static signature. Kaspersky Lab\u2019s behavioristic System Watcher technology[1]<\/strong><\/a>, <\/strong>however, detected this new sample version without too much trouble.<\/p>\n

Meanwhile, the extremely short time-lapse before the appearance of the new backdoor suggested that, rather than using an exploit, the backdoor was being downloaded by malware already residing in the targeted system. A further search proved this to be true.<\/p>\n

The new, previously unknown, malware was found in the shape of a .dll file residing in one of the target\u2019s hidden system directories. Just how this top-level malware was introduced into the target system remains unknown.<\/p>\n

To complicate things even further, another malware .dll was serving as a communication agent, interacting with the attackers\u2019 Command & Control servers. This modularized approach allowed the attackers to reduce the chances of behavioral and even manual discovery.<\/p>\n

In addition, mindful of the air-gaps often employed by their targets to guard their secrets, the Sofacy actors developed a family of USBSTEALER modules. These would allow spying malware to communicate with its creators, its messages carried on USB portable storage devices through the guarded perimeter and into the outer world.<\/p>\n

\"1\"<\/p>\n

..but it\u2019s solvable<\/h2>\n

The Sofacy operation makes one thing very clear: a \u2018generic\u2019 approach<\/strong> to information security is definitely not enough<\/strong> against such agile attackers. As is so often demonstrated, the best defense against targeted attacks is a comprehensive strategy relying on a multi-layered security approach.<\/p>\n

Combining anti-malware technologies with patch management, Host-based Intrusion Prevention (HIPS) and ideally, allowlists and default-deny would significantly reduce the chances of a successful intrusion mounted in this way.<\/p>\n

While attack via USB storage is often considered outdated in the modern threat landscape, no one should underestimate the danger presented by these devices.<\/p>\n

The use of Device Control technology can limit the use of USB devices and prevent data from leaving the defensive perimeter \u2013 or attackers\u2019 own toolset components from reaching into or outside of air-gapped networks.<\/p>\n

\"\"<\/a><\/p>\n

Employing a number of small modules, each undertaking just one small part of the attack, in order to keep under the radar of the behavioral engine, is just one of a plethora of tricks. To significantly increase the chances of discovery, one needs a bird\u2019s eye view of activities occurring at different levels of IT infrastructure (including both network and endpoints) \u2013 and some way of identifying and correlating a number of seemingly innocuous separate events into a security alarm.<\/p>\n

Sofacy\u2019s new wave focuses primarily on military contractors #APT<\/p>Tweet<\/a><\/blockquote>\n

Kaspersky Lab\u2019s upcoming advanced threat detection solution<\/a> does exactly this, and more, providing a comprehensive and highly scalable platform for the analysis of events and objects throughout the whole IT network. It enables the timely detection of Targeted Attacks, however subtle the indicators might be.<\/p>\n

To further empower your defensive strategy, Kaspersky Lab also offers\u00a0a comprehensive portfolio of Intelligence Services<\/a>. This portfolio of services enables your Security Officers to strengthen multiple facets of your security, from calling upon our incident response expertise to boosting your overall security posture through applying our leading-edge intelligence.<\/p>\n

Conclusion<\/h2>\n

Of course, such attacks are essentially a large enterprise issue. Sofacy\u2019s new wave focuses primarily on military contractors, who could theoretically provide entry points into the military itself. But do please be aware of new trends in the cybersecurity world, even your own business is not a large one and has no military customers. The chains by which attackers reach their targets can comprise many links, and smaller companies can sometimes have extremely valuable secrets.<\/p>\n

\"\"<\/a><\/p>\n

Known Sofacy samples are detected by Kaspersky Lab\u2019s solutions under the following verdicts:<\/p>\n