The new malware nicknamed SkinnyBoy is used by Russian hackers to infiltrate sensitive orgs, Cluster25 threat research team says.
The threat actor, which is known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm, used SkinnyBoy in attacks against entites this year.
SkinnyBoy is used in the intermediary stage of an attack, researchers said. Its goal is to collect information about the target and retrieve the next payload from a command and control server (C2).
Cluster25 attributes this campaign to Russian APT28 with mid-to-high confidence. The campaign likely started in March when attackers targeted foreign affairs ministries, embassies and various government, defense, and military agencies.
The researchers warned that besides the European Union, the attack could have affected organizations in the US as well.
SkinnyBoy is a Windows program, delivered through a Microsoft Word document, that downloads a DLL file that acts as a malware downloader.
A fake invitation to an event in Spain is used to trick users into opening a malicious file. The infection chain then moves to the next step, which is extracting a DLL. It retrieves the SkinnyBoy dropper (tpd1.exe) that, in its turn, downloads the main payload.
The malware established persistence before executing the files and creating a LNK file under Windows’ Startup folder to keep a low profile. The LNK file is triggered by rebooting the infected machine. It checks the SHA256 hashes of the files under C:Users%username%AppDataLocal.
SkinnyBoys’s purpose is to exfiltrate information about an infected system and deploy the final payload, which researchers couldn’t determine.
The data is collected with the help of existing Windows tools and exfiltrated to C2 servers in an encrypted base64 format.
According to Cluster25, an attacker used a commercial VPN service to purchase infrastructure components for their attack. This tactic helps them avoid getting caught by the authorities.
This firm’s report provides a list of the tools examined by its researchers and the YARA rules that they used to determine if a particular tool was a threat.
