A malware called SkinnyBoy was discovered being used in spear-phishing campaigns against military and government institutions in the U.S and Europe. Experts believe the Russian-speaking APT28 group was behind the attack.
What has happened?
Cluster25 discovered a campaign by the APT28 group, running since the beginning of March. It has been focused on government agencies including foreign ministries, embassies, and military and defense companies.
- SkinnyBoy was used at the intermediary stage of the attack. It gathers information about the targeted victim and retrieves the next payload from the C2 server.
- The campaign claimed several victims from the EU and the U.S.
- The malware spreads via Word document with a macro that extracts a DLL file acting as a malware downloader. A spoofed invitation to an upcoming international scientific event is used to lure the victims.
- Opening the invitation starts the infection chain that begins with the extraction of the DLL. It gets the SkinnyBoy dropper (tpd1[.]exe), a malicious file that downloads the main payload.
A backdrop on SkinnyBoy
The SkinnyBoy malware is developed to extract information from infected systems, and download and launch the final payload of the attack. At the moment, this final payload remains unknown.
- To extract information, it uses the systeminfo[.]exe and tasklist[.]exe tools, which already exist in Windows OS. These tools enable the attacker to extract file names in certain locations.
- Moreover, all the information extracted this way is delivered to the C2 server managed by the malware operators and subsequently encoded in base64 format.
Conclusion
Although developed by an APT group, this malware has a low level of sophistication and basic operating logic. However, it can not be taken lightly as it could be in its early stage of development. Therefore, it is important to keep a strict eye on all the developments around this new threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5065_shutterstock_1951490932.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_290486942.jpg)
