The Fancy Bear hackers (aka Sofacy Sednit, APT28, Strontium, and Pawn Storm) have been using new malware variants specially created to avoid detection to target companies located in Italy. Because of this, Z-Lab security researchers are labeling this latest hacking campaign: “Roman Holiday.” One of the malware variants was discovered to be an actual upgraded version of the hackers’ Mac malware called X-Agent.
New X-Agent malware
This custom backdoor malware was originally created by the Russian hacker group to mainly target Mac computer systems; however, Z-Lab researchers found out that a recent upgrade to the malware has it targeting Windows computer systems, too.
The new variant of the X-Agent malware is written in Delphi. Z-Lab researchers found that X-Agent’s payload communicates with the C2 server using HTTPS, essentially making it almost impossible for anyone to eavesdrop on the malicious traffic generated by the malware.
Roman Holiday Campaign
Another malware believed to be unrelated to the Z-Agent variants was also detected by researchers, and it is said to share several similarities with payloads that have been used by the Russian hacker group.
The report by Z-Labs states: “This malware is particularly interesting for us because it contacts a command and control with the name ‘marina-info.net’ a clear reference to the Italian Military corps, Marina Militare. This leads us into speculating that the malicious code was developed as part of targeted attacks against the Italian Marina Militare, or some other entities associated with it.”
Even though the nameless malware sample seems to be unrelated to either X-Agent malware variants, the researchers feel it is likely a component utilized by the Fancy Bear hackers in addition to the group’s X-Agent variant in their Roman Holiday operation against Italian military and other enterprises.
Z-Lab researchers said: “We cannot exclude that the APT group developed the backdoor to target specific organizations including the Italian Marina Militare or any other subcontractor. In our analysis we were not able to directly connect the malicious dll file to the X-Agent samples, but we believe they are both part of a well-coordinated surgical attack powered by APT28.”
Thoughts anyone? Share your comments below.