#Sofacy

#Sofacy targeting the embassy of Romania in Moscow (moscova@mae.ro) - Email Subject: Upcoming Defense events February 2018 C2: cdnverify\.net Further Analysis in "Raw Threat Intelligence": https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.6uhbnchvhbvu …pic.twitter.com/lx2ollTBrn

#Sofacy related sample uploaded from Macedonia - "UDS 2019 Current Agenda.doc" C2: photopoststories\.com https://www.virustotal.com/#/file/04bd6c3d9fa30b4d9410b89ba44c9e29aab22a1345115e8eef9cddc86d1eea25/detection … drops: ebdc6098c733b23e99daa60e55cf858b C:\Users\admin\AppData\Local\Temp\clnb.dat C:\ProgramData\adobe.dllpic.twitter.com/9j8FRYu65W

#Sofacy/APT28: sometimes portrayed as wild & reckless, but as seen under our visibility, the group can be pragmatic, measured, and agile. Analysis of current deployment, code, cryptography, and targeting: https://kas.pr/toc5 pic.twitter.com/cuvA3yBfOL

New #Unit42 research: #Sofacy continues global attacks and wheels out new ‘Cannon’ Trojan. Get the full report https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/ …pic.twitter.com/07b85lWiLh

#Sofacy #APT28 using #DDE to spread Zebrocy malware & Koadic open source JScript RAT >> https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ … >> https://github.com/zerosum0x0/koadic …pic.twitter.com/3knodAqMFH

The #Sofacy threat group continues to carry out attacks using their #Zebrocy tool. The developers have once again created a new version of the #Trojan using a different programming language, specifically the Go language: https://bddy.me/2PMx64q pic.twitter.com/82s4UAWlkI

The delivery documents in this attack campaign loaded remote templates whose #macros installed a variety of first-stage #payloads. Learn about Dear Joohn, the #Sofacy Group’s global campaign: https://bddy.me/2UEfTxy pic.twitter.com/V6XaSQAiMo

#Sofacy uses a variant of #Zebrocy written in the Go language in recent attacks https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/ …pic.twitter.com/zqYTi7UlKZ

2019-02-16: #APT28/#Sofacy #Seduploader "WINWORD.EXE" filename check | "ntdll.dll" | "Carberp"-like API Resolver (PEB -> PEB_LDR_DATA -> BaseDllName -> InLoadOrderModuleList) Client<->Server: space-delivery[.com Oct 2017; Newer Sample Upload MD5: 63b9b451c6daac14a838b318bbba458epic.twitter.com/Z098XlkzfY

A new #Sofacy #APT28 #malware sample, was only 5/66 on VT when first uploaded. Shares ~%85 code with other #APT28 samples: https://analyze.intezer.com/#/analyses/1c98d8c6-13f2-4bda-83a7-8057c17ae022 … Thx @JohnLaTwC for tweeting about this one!pic.twitter.com/BWoiuHtqFW

#Sofacy #Strontium #APT28 spread new campaign. Target: #IoT devices. C2: 167.114.153.55 94.237.37.28 82.118.242.171 31.220.61.251 128.199.199.187 Persistence obtained by a script shell. Among the #IoC once again Hostinger.pic.twitter.com/Zj7jLs1SnY

Researchers hunting cyber-espionage group #Sednit (also known as #Sofacy, #Fancy Bear and #APT28) say they have discovered the first-ever instance of a #rootkit used in successful attacks. https://kas.pr/wm6y pic.twitter.com/b0oHzHcr1g

interesting sample talking to domain microsoft-check[.]com associated with Microsoft Civil Action against #Sofacy https://noticeofpleadings.com/strontium/files/prop_ord_dj_pi_appb.pdf … / https://www.virustotal.com/de/file/cbdf89e17b3d0b0fbcb825977f3a70f94235bcc4023974abbe5e17c6ace553a8/analysis/ … creates a schtask with #MuddyWater style *wtf*pic.twitter.com/8f2vCrk90y