Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

KNOW Your Threat Actors Of The Week — APT28 Fancy Bear And Evil Corp

The group is responsible for attacks against the German parliament, the White House, and NATO.

Post by Tanuj Mitra Sep 09, 2020

The threats typically arrive by email and include victim-specific data such as Autonomous System Numbers (ASN) or IP addresses of servers or services they will target if their demands are not fulfilled. The attacks are not continuous but executed regularly enough to disrupt the victim and cause damage to their business and reputation.  Both APT28 Fancy Bear And Evil Corp are highly referenced on our KNOW’s threat intel dashboard. Let’s look at each actor in detail and analyze the data we have from KNOW.

Before we get started, check out last week’s threat actor — Hidden Cobra — and view everything that you need to KNOW.

Threat actor 1: APT28 Fancy Bear

APT 28 aka Fancy Bear aka Sofacy is a highly sophisticated threat group, which is sponsored by the Russian government and operational at least from 2004. This group is responsible for attacks against the German parliament, the White House, NATO. Currently, APT28 leverages ‘VPNFilter’ to actively infect Ukraine based IoT devices. This malware is equipped with self-destructive capabilities, and is able to monitor Modbus SCADA protocols.

APT28 Fancy Bear

Fancy Bear has several other aliases namely Tsar Team, Group 74, Sofacy, etc.

Infamous Fancy Bear attacks

#1 The New Zealand Stock Exchange Attack

Just when you thought 2020 couldn’t get any stranger, we’ve now got armies of infected “zombie computers” attacking institutions including the New Zealand stock exchange and the national weather bureau. The actors conducting the campaign are believed to be those who have previously purported to be Russian cyber espionage group Fancy Bear and the Armada Collective.

#2 Fancy Bear penetrates Democratic National Committee server

In 2016, the notorious Russian hacker group known as Fancy Bear had penetrated a DNC server “at the heart of the network.” By that point, the intruders already had the ability to delete, alter, or steal data from the network at will. And somehow the breach had come as a terrible surprise—despite an FBI agent’s warning to Tamene of potential Russian hacking over a series of phone calls that had begun fully nine months earlier.

Context from KNOW

Industries affected by Fancy Bear

Important data captured by KNOW

  • Risk rules triggered – 4 out of 48 rule(s) triggered
  • Recent sandbox sighting3 sighting(s)
  • Historically linked to malware385 sighting(s)
  • 2 related malware: Lojax, Drovorub.
  • Historically linked to intrusion method27 sighting(s) – phishing, obfuscation, phishing campaign, zero day, business email compromise, spam, password stealer, etc.
  • Historic Sandbox Sighting – 190 sighting(s)

From the Twitterverse

Threat actor 2: Evil Corp

The Evil Corp is a large cybercrime group that is originally known for its use of the Dridex banking Trojan. In recent years, it has demanded ransom payments to the tune of $500,000 to $1 million, according to security researchers. Evil Corp uses compromised credentials to transfer funds from a victim’s bank account to those of accounts controlled by the group. “As of 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries, making the group one of the main financial threats faced by businesses,” the US Justice Department said in a statement last year.

Evil Corp specializes in targeting the United States and British financial services sector through their use of the Dridex malware and is thought to have stolen at least US $100 million to date.

evil corp

Evil Corp attack techniques

#1 Attacks are timely and targeted

Garmin was an attractive target for Evil Corp, whose ransomware is believed to be used in the attack on its data and systems. “We saw that Evil Corp targeted Garmin because they knew they were a large corporation with both deep pockets and mission-critical data, which meant they’d pay up,” said Chloé Messdaghi, vice president of strategy at Point3 Security, a provider of training and analytic tools to the security industry.

#2 WastedLocker uses Windows Cache Manager

Over the past few weeks, the WastedLocker Ransomware has become notorious after being attributed to the sanctioned Evil Corp hacking group and used to attack Garmin. To increase Windows’s performance, commonly used files or files specified by an application are read into and stored in the Windows Cache, which utilizes system memory. To bypass detection by anti-ransomware solutions, WastedLocker includes a routine that opens a file, reads it into the Windows Cache Manager, and then closes the original file.

Context from KNOW

Industries affected by Evil Corp

Important data captured by KNOW

  • Risk rules triggered – 5 out of 48 rule(s) triggered
  • Recent sandbox sighting – 1 sighting(s)
  • Historically linked to malware996386 sighting(s)
  • 8 related malware Dridex, Gozi, Gozi ISFB, BitPaymer, FriedEX, Cobalt Strike, WastedLocker, etc.
  • Historically linked to intrusion method – 13 sighting(s) – obfuscation, phishing, data exfiltration, data breach, social engineering, exfiltrate data, credential dumping, etc.
  • Historically linked to C&C server1 sighting(s)

Evil corp data

From the Twitterverse

What is KNOW?

KNOW is Netenrich’s Threat Intel Platform that extracts data from billions of data points and correlates relevant intel and expert analyst insights to help you follow, search, and act—in a fraction of the time it takes now.

One of KNOW’s handiest tools is the trending threats dashboard, which gives you a bird’s eye view of the most potent malware, threat actors, methods, and vulnerabilities in the following time frames:

  • Last 7 days.
  • Last 60 days.

So, want to check out KNOW some more? Why don’t you sign up? Did we mention that it’s completely free?
Or subscribe to get daily threat intel updates.

About the Author

Tanuj Mitra

Tanuj is a storyteller whose ideas and snackable insights are in-sync with dynamic IT operations and modern networks. He likes to develop content that's smartly worded, clutter-breaking, and easy to digest.

Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!