APT28 (also commonly known as FancyBear, STRONTIUM, Sednit, Sofacy, and more) is a threat group that has been attributed to Russia’s Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. The group has been regarded as being active since at least 2004, and is espionage motivated. It’s targets have included the private sector, military, and governments across the world. In this post, I will review a campaign that I believe to have been conducted by APT28.
While performing research, I came across an interesting document titled “gorodpavlodar.doc”. This document was an attachment within an equally as interesting email - this email was sent to multiple individuals who, as far as my research indicates, work for a large mining corporation with operations located in Kazakhstan. The email purports to be sent from the “OFFICIAL RESOURCE OF THE CITY OF PAVLODAR”, but is actually sent by the address “firstname.lastname@example.org”. Pavlodar is a city in northeastern Kazakhstan and the capital of the Pavlodar Region. The original email and translation are listed below, which prompts the recipient of the email to review the attached document.
The attached document also contained text written in Russian, which translated roughly to “Schedule of connecting your residential house to hot water supply” and purported to be from the “Official Internet Resource of Akimat City Pavlodar”. The document appeared to be a form for the recipients to fill out with their address, date of water elimination, and reason for lack of hot water. It also prompts the recipient to enable Editing/Content to view the “protected” document.
Shown above: Suspected APT28 Lure “gorodpavlodar.doc”
Opening the Visual Basic console via the developer tab in Word reveals a password protected project that would be run if content were enabled. To bypass this password restriction, I opened the document within a Hex editor and searched for the string “DPB=” which contains the VBA password, and changed it to “DPx=”. Opening the project following this causes Word to throw multiple errors regarding the invalid key (DPx), but allows me to bypass the password restriction. This allows me to view the contents of the project, displayed below, which looks to be a UserForm containing quite a lot of data in two of the input boxes, in addition to some labels.
Shown above: Suspected APT28 Lure VBA Project
If I extract the embedded macro, I can see that it essentially does two things - create two files (graphic.doc and libssl.exe) from the code embedded within the VBA project, and drops those files in the “C:\Users\[username]\AppData\Roaming" directory.
Shown above: Macro within gorodpavlodar.doc
Following execution of the macro, the original document is deleted and the secondary document “graphic.doc” is opened. This document appears to be a “completed” version of the form contained within the original document, and also contains an embedded macro that executes the aforementioned executable “libssl.exe”.
Shown above: graphic.doc
Following execution of “libssl.exe”, it will modify the registry to maintain persistence (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run). It will then initiate Command & Control communications to two hard-coded URL’s via HTTP POST requests - www.gorodpavlodar.kz/modules/Contact/Includes/1c.php and www.gorodpavlodar.kz/modules/Contact/Includes/2c.php, along with a hard-coded User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64)”. The information POST’d includes URL encoded host information - such as a unique ID, drive information, hostname, OS, username, bios, date, process listing, and more. In the past, these POST requests would receive binary data in the server responses, but they are now being met with 404 HTTP responses.
Shown above: Suspected Zebrocy Implant C2 network capture
While I will leave the in-depth malware analysis to those more adept, the observed activity related to the binary up to this point is very reminiscent of APT28’s “Zebrocy” implant. Furthermore, static analysis of the binary reveals numerous similarities to other documented Zebrocy samples - particularly the one documented here by Vitali Kremez. While this isn’t conclusive evidence that APT28 is responsible for this sample, the similarities between it and other confirmed Zebrocy implants, in addition to the fact that Kazakhstan has historically been targeted by APT28, is quite suspect. Regardless, it was an interesting sample to review and gives insight into potential economic espionage activities.
|27e9247d28598207794424eeb5ea4b1b||MD5||libssl.exe - Suspected Zebrocy Implant|
|a863c2944581bc734619bf8d6ab1aef8||MD5||gorodpavlodar.doc - Suspected Zebrocy dropper document|
|/modules/Contact/Includes/1c.php||URI||Suspected Zebrocy Implant C2 URI Pattern|
|/modules/Contact/Includes/2c.php||URI||Suspected Zebrocy Implant C2 URI Pattern|
|email@example.com||Email Address||Email Address used in suspected APT28 campaign|