The APT28 cyber-espionage group, often called "Fancy Bear" and linked to Russia, has stripped much of the malicious functionality from its initial infector, hiding it in a sea of benign code, according to an analysis published today by Cylance, a subsidiary of Blackberry.
The approach shows that the group has developed greater operational sophistication, says Josh Lemos, vice president of research and intelligence at Cylance (and no relation to the author). The authors of the implant appear to be trying to hide in plain site by using well-known libraries, such as OpenSSL, and a widely used compiler, POCO C++, resulting in 99% of the more than 3 megabytes of code being classified as benign, according to Cylance's analysis.
Those steps, taken along with other newly adopted tactics, suggest the group is trying a different approach to dodge evolving defenses, Lemos says.
"It would be odd for them to shift tactics without a reason," he says. "That is what is giving us the belief that this is a response to a lot of players in the industry having shifted to static ML and even the heuristics engines and traditional AV scanners — those are going to have challenges keying in on malicious bits of this code."
Attackers have used a variety of ways to dodge host-based defenses in the past, most often involving encrypting, or "packing," parts of the file to prevent antivirus (AV) scanners from recognizing the malicious parts of the code. In addition, attackers have used domain generation algorithms (DGAs) to ..
Support the originator by clicking the read the rest link below.
![Gamified Learning: Using Capture the Flag Challenges to Supplement Cybersecurity Training [Guest Diary], (Sun, Mar 17th)](upload/sources/90591557817151.jpg)
