Security News > 2021 > June > Russian Hackers Use New 'SkinnyBoy' Malware in Attacks on Military, Government Orgs
The Russia-linked threat group known as APT28 has been observed using a new backdoor in a series of attacks targeting military and government institutions, researchers with threat intelligence company Cluster25 reveal.
For initial access, the threat actor is known to use tactics such as watering hole attacks, social engineering, zero-day vulnerabilities, and stolen credentials, followed by the deployment of tools and malware that allow it to achieve persistence and gain access to information of interest.
While the tactics observed in this campaign were no different from previous attacks, what stood out was the use of a new backdoor that Cluster25's researchers have dubbed SkinnyBoy.
The attacks would start with spear-phishing emails delivering a Word document carrying malicious macros that extract a DLL designed to fetch the SkinnyBoy dropper, which achieves persistence and downloads all the components for the next stage.
The SkinnyBoy implant was designed to exfiltrate information from the infected system, as well as to fetch and run directly in memory the final payload, "Which probably exhibits typical backdoor behaviors," Cluster25 notes.
"After a period of observation of the described threat and an in-depth analysis of the identified victimology, Cluster25 team attributes the SkinnyBoy implant and the related attack to Russian group known as APT28/FancyBear with a mid-to-high confidence," the researchers conclude.
News URL
Related news
- Russian Espionage Group Targets Ukrainian Military with Malware via Telegram (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers use RDP proxies to steal data in MiTM attacks (source)
- Russian charged by U.S. for creating RedLine infostealer malware (source)