Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

APT29 Uses Stealthy Backdoor to Maintain Access to Targets

Researchers at FireEye-owned Mandiant have conducted a detailed analysis of a stealthy backdoor used by the Russia-linked cyberespionage group APT29 to maintain access to targeted systems.

Researchers at FireEye-owned Mandiant have conducted a detailed analysis of a stealthy backdoor used by the Russia-linked cyberespionage group APT29 to maintain access to targeted systems.

Dubbed “POSHSPY,” the malware is believed to be a secondary backdoor used by the cyberspies in case they lose access to their primary backdoors. Mandiant first spotted POSHSPY in 2015 during an incident response engagement, and identified it on the networks of several organizations over the past two years.

Similar to other pieces of malware used by APT29, POSHSPY leverages PowerShell and the Windows Management Instrumentation (WMI) administrative framework.

WMI can be used to obtain system information, start and stop processes, and configure conditional triggers. In the case of POSHSPY, WMI is used to run a PowerShell command that decrypts and executes the backdoor code directly from a WMI property, thus ensuring that no artifacts are left on the hard drive.

The WMI component of POSHSPY executes the PowerShell component on every Monday, Tuesday, Thursday, Friday and Saturday at 11:33 AM local time.

Experts pointed out that the use of legitimate Windows tools and the other techniques employed in these attacks increase the backdoor’s chances of evading detection.

“POSHSPY’s use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory,” explained Matthew Dunwoody, incident response consultant at Mandiant.

“The backdoor’s infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert,” Dunwoody added.

Advertisement. Scroll to continue reading.

The malware allows attackers to download and execute additional PowerShell code and executable files. The threat communicates with command and control (C&C) servers located at URLs generated using a domain generation algorithm (DGA) that relies on lists of domain names, TLDs, subdomains, URIs, file names and file extensions. C&C communications are encrypted using AES and RSA public key cryptography.

FireEye has not shared any information on which countries or what types of organizations have been targeted in attacks involving the POSHSPY backdoor.

The APT29 group has put some effort into making its operations more difficult to detect. Earlier this month, FireEye detailed the threat actor’s use of a technique called “domain fronting” to disguise the malicious traffic generated by its tools.

APT29 is also known as The Dukes, Cozy Bear and Cozy Duke. The group is believed to be behind the recent election-related attacks in the U.S. and a campaign targeting high-profile organizations in Norway.

Related: Cyberspies Launch U.S. Attacks Hours After Trump Elected

Related: U.S. Gov’s “GRIZZLY STEPPE” Report Fails to Achieve Purpose

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights