{"id":2409,"date":"2024-09-25T17:55:49","date_gmt":"2024-09-25T17:55:49","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2409"},"modified":"2025-07-29T03:40:16","modified_gmt":"2025-07-29T03:40:16","slug":"crib-notes-apt28-a-group-so-fancy-i-cant-bear-it","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/crib-notes-apt28-a-group-so-fancy-i-cant-bear-it\/","title":{"rendered":"Crib Notes: APT28 \u2013 a group so fancy, I can\u2019t bear it."},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

In the world of cyber security, APT (Advanced Persistent Threat) groups are perhaps the most feared. This is because they are the most well-equipped and technically proficient threat actors, leading many to believe they have government-backing. \u00a0

One of the most infamous, APT28 (aka Fancy Bear), was first identified in 2004 by Trend Micro. Since their discovery, they have been implicated in multiple high-profile attacks against Government entities, diplomatic missions and media organisations.\u00a0

Most recently, however, researchers have implicated APT 28 in attacks against hotels in several European countries.

Recently:<\/strong> APT 28\u2019s most recent attack targeted businesses in the hospitality industry over July and August this year. FireEye researchers were the first to identify the campaign in which a malicious \u2018Hotel Reservation Form\u2019 was sent to target organisations in a classic spearphishing campaign.\u00a0

Once the document was opened, and macros enabled, Fancy Bear\u2019s signature malware \u2013 GAMEFISH \u2013 was dropped on to the terminal.\u00a0

After successfully gaining access, APT28 moved laterally through the network to seek machines that controlled both guest and internal Wi-Fi networks. After these were compromised, the group aimed to steal usernames and passwords which would allow further privilege escalation.

Technically:<\/strong> In the past week, we discovered a sample from the above attack campaign and conducted the following analysis:

Initially we spotted the following domains in the client logs:

mvtband(.)net

mvband(.)net \u00a0

https:\/\/virustotal.com\/#\/url\/fd9cf2adc77595a8977188866c03986e4f70bf2bc6d0dbe5a150aaa8c025feee\/detection

https:\/\/virustotal.com\/#\/url\/d8a03dbf5409952ea201e11d808faabef555ed96c9f37ffe9769f6694b21b6be\/detection

These domains triggered an alert as our threat intelligence feed identified them as Command and Control (C&C) servers. Our LMNTRIX HUNT team then scoured the logs and, by identifying the infected host, we found the malicious document and continued our analysis:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1 Malicious Document<\/em>

– C:\\Documents and Settings\\fancybear\\Hotel_Reservation_Form.doc

(78600 bytes) – binary

\u2022\u00a0\u00a0 \u00a0Found ZIP archive

\u2022\u00a0\u00a0 \u00a0Packed \u00a0 \u00a0 \u00a0Unpacked \u00a0 \u00a0Perc \u00a0Date\/time \u00a0 Filename

\u2022\u00a0\u00a0 \u00a0431 \u00a0 \u00a0 \u00a0 \u00a01819 \u00a023.7 \u00a001.01.1980 \u00a0[Content_Types].xml

\u2022\u00a0\u00a0 \u00a0239 \u00a0 \u00a0 \u00a0 \u00a0 590 \u00a040.6 \u00a001.01.1980 \u00a0_rels\/.rels

\u2022\u00a0\u00a0 \u00a0342 \u00a0 \u00a0 \u00a0 \u00a01601 \u00a021.4 \u00a001.01.1980 \u00a0word\/_rels\/document.xml.rels

\u2022\u00a0\u00a0 \u00a04343 \u00a0 \u00a0 \u00a0 63115 \u00a06.9 \u00a0 01.01.1980 \u00a0word\/document.xml

\u2022\u00a0\u00a0 \u00a0437 \u00a0 \u00a0 \u00a0 \u00a01503 \u00a029.1 \u00a001.01.1980 \u00a0word\/footnotes.xml

\u2022\u00a0\u00a0 \u00a0434 \u00a0 \u00a0 \u00a0 \u00a01497 \u00a029.0 \u00a001.01.1980 \u00a0word\/endnotes.xml

\u2022\u00a0\u00a0 \u00a0191 \u00a0 \u00a0 \u00a0 \u00a0 277 \u00a069.0 \u00a001.01.1980 \u00a0word\/_rels\/vbaProject.bin.rels

\u2022\u00a0\u00a0 \u00a0531 \u00a0 \u00a0 \u00a0 \u00a0 531 \u00a0100.0 01.01.1980 \u00a0word\/media\/image3.gif

\u2022\u00a0\u00a0 \u00a0200 \u00a0 \u00a0 \u00a0 \u00a0 392 \u00a051.0 \u00a001.01.1980 \u00a0word\/media\/image2.wmf

\u2022\u00a0\u00a0 \u00a0197 \u00a0 \u00a0 \u00a0 \u00a0 392 \u00a050.3 \u00a001.01.1980 \u00a0word\/media\/image1.wmf

\u2022\u00a0\u00a0 \u00a07028 \u00a0 \u00a0 \u00a0 15872 \u00a044.3 \u00a001.01.1980 \u00a0word\/vbaProject.bin

\u2022\u00a0\u00a0 \u00a01571 \u00a0 \u00a0 \u00a0 \u00a06795 \u00a023.2 \u00a001.01.1980 \u00a0word\/theme\/theme1.xml

\u2022\u00a0\u00a0 \u00a0449 \u00a0 \u00a0 \u00a0 \u00a01367 \u00a032.9 \u00a001.01.1980 \u00a0word\/vbaData.xml

\u2022\u00a0\u00a0 \u00a06354 \u00a0 \u00a0 \u00a0 30398 \u00a021.0 \u00a001.01.1980 \u00a0word\/settings.xml

\u2022\u00a0\u00a0 \u00a047830 \u00a0 \u00a0 \u00a0 95561 \u00a050.1 \u00a001.01.1980 \u00a0docProps\/app.xml

\u2022\u00a0\u00a0 \u00a02647 \u00a0 \u00a0 \u00a0 22908 \u00a011.6 \u00a001.01.1980 \u00a0word\/styles.xml

\u2022\u00a0\u00a0 \u00a0416 \u00a0 \u00a0 \u00a0 \u00a0 815 \u00a051.0 \u00a001.01.1980 \u00a0docProps\/core.xml

\u2022\u00a0\u00a0 \u00a0549 \u00a0 \u00a0 \u00a0 \u00a01816 \u00a030.3 \u00a001.01.1980 \u00a0word\/fontTable.xml

\u2022\u00a0\u00a0 \u00a0389 \u00a0 \u00a0 \u00a0 \u00a0 928 \u00a042.0 \u00a001.01.1980 \u00a0word\/webSettings.xml

\u2022\u00a0\u00a0 \u00a074578 \u00a0 \u00a0 \u00a0248177 \u00a030.1 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Total (19 files)

The above list is the document\u2019s internal files. One particular file which perked our interest was \u201cvbaproject.bin\u201d which we extracted for further analysis with officemalscanner.\u00a0
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 2 Extracted contents of doc file<\/em>

The below analysis on the vbaproject.bin file gives us a better understanding of this sample\u2019s behaviour:
\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 3 Interesting strings<\/em>

Here we see base 64 being used for encoding and decoding \u2013 the decoded file gets saved in the AppData location: \u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 4 Decoded File Saved in AppData location<\/em>

The saved file is then executed using WMI and then calls for rundll32.exe to execute supporting files, as seen below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 5 Saved file execution and registering supporting files<\/em>

The following files are then created in the AppData location: mvtband.dat, mrset.bat and user.dat. This mvtband.dat file is the dll file which is registered using rundll32.exe. The file is used as a C&C for APT28. The user.dat file writes the mvtband.dll file and asks the batch file to execute it.\u00a0

Prevalence:<\/strong> APT 28 has been implicated in multiple attacks, all of which have targeted high-profile victims or institutions \u2013 typically these are seen as espionage exercises designed to gather high-value diplomatic intelligence. For example, it is widely thought the ultimate targets of the recent campaign against the hospitality industry was guests staying at the hotels, rather than the hotels themselves.

As business travellers typically rely on the Wi-Fi networks of the hotels at which they stay, it is easy to see why commandeering the hotel\u2019s Wi-Fi would be an incredibly effective way to target guests.\u00a0

The group is known for using multiple attack techniques, rarely relying on the same methods. For example, in 2015 six zero-day exploits were attributed to APT28:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 6 Zero Day exploits attributed to APT28 in 2015<\/em>

Mitigation:<\/strong> For businesses in the hospitality industry, once an alert is received it is best to unplug the machine from the network. Simple yara rules can scan for the existence of the malicious files in the host and removal scripts will easily search in the specified locations and delete them. We recommend businesses block mvtband(.)net and mvband(.)net in the proxy and firewall.\u00a0

For users, always exercise caution when dealing with attachments from unknown users. Travellers \u2013 particularly business travellers \u2013 should limit their reliance on public Wi-Fi networks.

Targets:<\/strong> APT28 has been linked to multiple attacks against high-profile targets. Past campaigns include the April 2015 attack on the French television network TV5Monde, the March 2016 breach of the U.S. Democratic National Committee, the December 2014 cyber-attack on the German Parliament, the August 2016 breach of the World Anti-Doping Agency, and a campaign in February 2015 to target members of the Dutch Safety Board who were investigating the downing of Malaysian Airlines Flight 17 over Ukraine.\u00a0

Attribution:<\/strong> As always, it is incredibly difficult to attribute an attack with 100 per cent certainty. That said, the widely held belief is that APT28 is sponsored by the Russian Government.<\/p>\n","protected":false},"excerpt":{"rendered":"

In the world of cyber security, APT (Advanced Persistent Threat) groups are perhaps the most feared. This is because they are the most well-equipped and technically proficient threat actors, leading many to believe they have government-backing.   One of the most infamous, APT28 (aka Fancy Bear), was first identified in 2004 by Trend Micro. Since […]<\/p>\n","protected":false},"author":1,"featured_media":2416,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2409","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2409","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2409"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2409\/revisions"}],"predecessor-version":[{"id":4252,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2409\/revisions\/4252"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2416"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}