Cybersecurity researchers at Cluster25 have discovered a new malware called SkinnyBoy that has been used in targeted phishing attacks.
The malicious campaign has been linked to the Russian-speaking hacker group APT28 (also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm).
Criminals used SkinnyBoy to launch attacks on military and government agencies earlier this year. SkinnyBoy is designed for the intermediate stage of the attack, collecting information about the victim and receiving payload from the C&C server.
APT28 launched a campaign in early March, focusing on foreign ministries, embassies and defence industries and the military sector, according to experts. Numerous victims are located in the EU, but the malicious activity could presumably have affected organizations in the United States.
Hackers are spreading emails with an infected Microsoft Word document. The document contains a macro to extract the DLL file and download the SkinnyBoy malware. The letters are disguised as invitations to an international scientific event to be held in Spain at the end of July.
Once on the victim’s system, the bootloader ensures persistence on the system and proceeds to retrieve the next payload, encrypted in Base64. The payload is removed after extracting two files on the compromised system:
SkinnyBoy’s goal is to steal information about the infected system, download and launch the last payload of the attack, which remains unknown at the moment.
The data is stolen using the systeminfo.exe and tasklist.exe tools already available in Windows, which allow you to extract filenames from specific locations.
Catch up on more articles here
Follow us on Twitter here