Security News > 2021 > June > New SkinnyBoy malware used by Russian hackers to breach sensitive orgs

Security researchers have discovered a new piece of malware called SkinnyBoy that was used in spear-phishing campaigns attributed to Russian-speaking hacking group APT28.
The threat actor, also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm, used SkinnyBoy in attacks targeting military and government institutions earlier this year.
SkinnyBoy is intended for an intermediary stage of the attack, to collect information about the victim and to retrieve the next payload from the command and control server.
SkinnyBoy is delivered through a Microsoft Word document laced with a macro that extracts a DLL file acting as a malware downloader.
Opening the invitation triggers the infection chain, which starts with extracting a DLL that retrieves the SkinnyBoy dropper, a malicious file that downloads the main payload. Once on the system, the dropper establishes persistence and moves to extract the next payload, which is encoded in Base64 format and appended as an overlay of the executable file.
After observing the tactics, techniques, and procedures, Cluster25 believes that the SkinnyBoy implant is a new tool from the Russian threat group known as APT28.
News URL
Related news
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware (source)
- Russian hackers breach orgs to track aid routes to Ukraine (source)
- Russian Hackers Breach 20+ NGOs Using Evilginx Phishing via Fake Microsoft Entra Pages (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Russians lure European diplomats into malware trap with wine-tasting invite (source)
- State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
- Iran-Linked Hackers Target Israel with MURKYTOUR Malware via Fake Job Campaign (source)