Researchers at Cluster25 discovered a new malware implant that has been used in spear-phishing attacks aimed at military and government institutions.
Dubbed SkinnyBoy, the implant appears to be the work of the Russian-speaking hacking group APT28, also tracked by security researchers as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm.
SkinnyBoy is designed to collect the information about the target and to retrieve the next stage payload from its command and control server.
The malware is delivered via a spear phishing email containing a Microsoft Word Office document with a significant name, often related to International Conferences or other events involving several countries. The document triggers a MACRO function able to extract a Microsoft Dynamic Link Library (DLL) which acts as a downloader of a SkinnyBoy dropper (tdp1.exe).
Upon infecting the victim’s file system, the dropper establishes persistence and then proceeds to extract the next stage payload, which is encoded in Base64 format and appended as an overlay of the executable file.
Once payload is decoded, two different files are written on the filesystem, after this the malicious process deletes itself.
In order to keep itself hidden, the malware never executes the extracted files, instead creating a persistence mechanism on the infected machine which allows a delayed execution of the next stages. It creates a LNK file under Windows Startup folder (%appdata%MicrosoftWindowsStart MenuProgramsStartup), named devtmrn.lnk, which points to the just extracted devtmrn.exe.
The LNK file is triggered at the next reboot of the infected system and looks for the main payload, SkinnyBoy (TermSrvClt.dll), by checking the SHA256 hashes of all the files under C:Users\%username%AppDataLocal.
“The DLL file, named TermSrvClt.dll, corresponds to the actual implant of the infection chain. It exfiltrates information about the infected system and retrieves and launches the final payload. Once triggered, the process executes two Windows utilities to gather information about the system, systeminfo.exe and tasklist.exe. Then, it extracts a list of file names contained in a subset of interesting directories,” the researchers wrote.
All the extracted data is then sent to the attacker’s command and control server.
According to the researchers, to cover their tracks the hacker group used commercial VPN services. The same services were used to purchase and manage their infrastructure during the observed attacks.
“After a period of observation of the described threat and an in-depth analysis of the identified victimology, Cluster25 team attributes the SkinnyBoy implant and the related attack to Russian Group known as APT28 / FancyBear with a midto-high confidence,” Cluster25 said.