Roman Holiday: Fancy Bear hackers spotted using new malware to target Italian organizations

The prolific Fancy Bear hackers, aka APT28, Sofacy, Pawn Storm, Sednit and Strontium) have been spotted conducting a new campaign targeting organizations in Italy. The hackers were found using new malware variants designed to evade detection to attack targets.

Security researchers at Z-Lab have dubbed the campaign “Roman Holiday” given that the hackers are targeting Italian entities. One of the new malware variants discovered was actually an upgraded version of Fancy Bear’s Mac malware X-Agent.

New X-Agent malware

X-Agent is Fancy Bear’s custom backdoor. Although the malware was designed to primarily target Mac systems, Z-Lab researchers have discovered that the Russian hackers recently upgraded the malware to target Windows systems as well.

The new variant of the X-Agent malware is written in Delphi. Z-Lab researchers found that X-Agent’s payload communicates with the C2 server using HTTPS, essentially making it impossible for anyone to eavesdrop on the malicious traffic generated by the malware.

Roman Holiday campaign

Researchers said they detected another malware unrelated to the two Z-Agent variants. However, the malware shares several similarities with other payloads previously used by Fancy Bear hackers.

“This malware is particularly interesting for us because it contacts a command and control with the name ‘marina-info.net’ a clear reference to the Italian Military corp, Marina Militare,” Z-Lab researchers said in a report. “This lead us into speculating that the malicious code was developed as part of targeted attacks against the Italian Marina Militare, or some other entities associated with it.”

Although the unnamed malware sample appears to have no relations to either of the X-Agent malware variants, Z-Lab researchers believe that it is an additional component used by Fancy Bear in its Roman Holiday campaign against the Italian military and other organizations.

“We cannot exclude that the APT group developed the backdoor to target specific organizations including the Italian Marina Militare or any other subcontractor,” Z-Lab researchers said. “In our analysis we were not able to directly connect the malicious dll file to the X-Agent samples, but believe they are both part of a well-coordinated surgical attack powered by APT28.”

Brief history of Fancy Bear’s activities

Fancy Bear has been active since 2007. Since it first appeared, the hackers group has targeted numerous governments, militaries and private organizations across the globe. The group’s involvement in the attacks against the US Democratic National Committee (DNC) during the 2016 US presidential election made headlines.

The attack led to security researchers delving deep into Fancy Bear’s activities, which in turn revealed the group’s links to the Russian intelligence service GRU. US intelligence services have since concluded that Fancy Bear’s attack on the DNC was part of the Kremlin’s attempt to influence the US elections and damage the nation’s democracy.