Jump to content
  • New SkinnyBoy malware used by Russian hackers to breach sensitive orgs


    Karlston

    • 907 views
    • 4 minutes
     Share


    • 907 views
    • 4 minutes

    New SkinnyBoy malware used by Russian hackers to breach sensitive orgs

     

    Security researchers have discovered a new piece of malware called SkinnyBoy that was used in spear-phishing campaigns attributed to Russian-speaking hacking group APT28.

     

    The threat actor, also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm, used SkinnyBoy in attacks targeting military and government institutions earlier this year.

    Classic tactics, new tool

    SkinnyBoy is intended for an intermediary stage of the attack, to collect information about the victim and to retrieve the next payload from the command and control (C2) server.

     

    According to Cluster25 threat research company, APT28 likely started this campaign at the beginning of March, focusing on ministries of foreign affairs, embassies, defense industry, and the military sector.

     

    Multiple victims are in the European Union but the researchers told BleepingComputer that the activity may have impacted organizations in the United States, too.

     

    SkinnyBoy is delivered through a Microsoft Word document laced with a macro that extracts a DLL file acting as a malware downloader.

     

    The lure is a message with a spoofed invitation to an international scientific event held in Spain at the end of July.

     

    Opening the invitation triggers the infection chain, which starts with extracting a DLL that retrieves the SkinnyBoy dropper (tpd1.exe), a malicious file that downloads the main payload.

     

    Once on the system, the dropper establishes persistence and moves to extract the next payload, which is encoded in Base64 format and appended as an overlay of the executable file.

     

    SkinnyBoy - overlay of tpd1.exe

     

    This payload deletes itself after extracting two files on the compromised system:

     

    • C:\Users\%username%\AppData\Local\devtmrn.exe (2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce)
    • C:\Users\%username%\AppData\Local\Microsoft\TerminalServerClient\TermSrvClt.dll (ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698)

     

    To keep a low profile, the malware executes these files at a later stage, after creating a persistence mechanism via a LNK file under Windows Startup folder, Cluster25 says in a report shared with BleepingComputer.

     

    The LNK file is triggered at the next reboot of the infected machine and looks for the main payload, SkinnyBoy (TermSrvClt.dll), by checking the SHA256 hashes of all the files under C:\Users\%username%\AppData\Local.

     

    SkinnyBoy’s purpose is to exfiltrate information about the infected system, download, and launch the final payload of the attack, which remains unknown at the moment.

     

    Collecting the data is done by using the systeminfo.exe and tasklist.Exe tools already present in Windows, which allow it to extract file names in specific locations:

     

    • C:\Users\%username%\Desktop
    • C:\Program Files - C:\Program Files (x86)
    •  C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    • C:\Users\%username%\AppData\Roaming
    • C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Templates
    • C:\Windows - C:\Users\user\AppData\Local\Temp

     

    All the information extracted this way is delivered to the C2 server in an organized fashion and encoded in base64 format.

     

    Cluster25 says that the attacker used commercial VPN services to purchase elements for their infrastructure, a tactic that adversaries typicall use to better lose their tracks.

     

    SkinnyBoy route

     

    After observing the tactics, techniques, and procedures, Cluster25 believes that the SkinnyBoy implant is a new tool from the Russian threat group known as APT28. The company has mid-to-high confidence in its attribution.

     

    In the report today, Cluster25 provides YARA rules for all the tools examined by its researchers (SkinnyBoy dropper, launcher, and the payload itself) as well as a list of observed indicators of compromise that can help organizations detect the presence of the new malware.

     

     

    New SkinnyBoy malware used by Russian hackers to breach sensitive orgs


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...