"They were really careful, especially with network communications." Courtesy of ESETĪll of those stealth measures help to explain how the group remained undetected in these long-running intrusions for years on end, says ESET's Faou. Two examples of the images the Dukes’ malware altered and transmitted to hide its secret communications. And those posts can encode the domain in any of three types of written characters-hence the malware's name-Japanese katakana characters, Cherokee script, or the Kangxi radicals that serve as components of Chinese characters. PolyglotDuke fetches the domain of its command-and-control server from its controller's posts on Twitter, Reddit, Imgur, and other social media. Both tools have unusual means of hiding their tracks. The new tools also include lighter-weight implant malware ESET has named PolyglotDuke and RegDuke, each of which serves as a first-stage program capable of installing other software on a target system. To conceal its communications with a command-and-control server, FatDuke impersonates the user's browser, even mimicking the user agent for the browser that it finds on the victim's system. They include a back door called FatDuke, named for its size the malware fills an unusual 13 megabytes, thanks to about 12MB of obfuscating code designed to help it avoid detection. The Dukes' new tools use clever tricks to hide themselves and their communications inside a victim's network. "They never stopped their espionage activity." "They rebuilt their arsenal," says ESET researcher Matthieu Faou, who presented the new findings earlier this week at ESET's research conference in Bratislava, Slovakia. The researchers found that the spying campaign extend both years before the DNC hack and years after-until as recently as June of this year-and used an entirely new collection of malware tools, some of which deployed novel tricks to avoid detection. ESET declined to reveal the identities of those victims in more detail, and note that there may well be more targets than those they've uncovered. ESET found that the Dukes had penetrated the networks of at least three targets: the ministries of foreign affairs at two Eastern European countries and one European Union nation, including the network of that EU country's embassy in Washington, DC. They're also known known by the names Cozy Bear and APT29, and have been linked to Russia's Foreign Intelligence Service, or SVR. Researchers at the Slovakian cybersecurity firm ESET today released new findings that reveal a years-long espionage campaign by a group of Kremlin-sponsored hackers that ESET refers to as the Dukes. In the three years since, that second group has largely gone dark-until security researchers spotted them in the midst of another spy campaign, one that continued undetected for as long as six years. ![]() But another, far quieter band of Kremlin hackers was inside DNC networks as well. ![]() ![]() In the notorious 2016 breach of the Democratic National Committee, the group of Russian hackers known as Fancy Bear stole the show, leaking the emails and documents they had obtained in a brazen campaign to sway the results of the US presidential election.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |