The Russian threat group Fancy Bear appears to be behind a recent campaign that may have targeted Italy’s navy with an updated version of the APT group’s XAgent backdoor malware, according to researchers.
Dubbed Roman Holiday, the campaign appears to also involve a malicious dll file that communicates with a command-and-control server bearing the name “marina-info.net” — an apparent reference to the Italian Marina Militare, according to a July 14 blog post from the Z-Lab research division of Italian cybersecurity firm CSE Cybsec.
Researchers at CSE Cybsec believe this dll could be a final-stage malware program that is triggered only under certain conditions, such as when the infected system has an IP address within a specified range. Moreover, the they suspect this dll is a component of the new XAgent variant, which emerged in the wild in June and affects Windows devices.
CSE Cybsec obtained the XAgent malware from a sample that was submitted to VirusTotal. The blog notes that the variant is downloaded from the internet as a second-stage malware, via a dropper program written in Delphi programming language — a hallmark of Fancy Bear (aka APT28, Pawn Storm, Sednit, Sofacy, Strontium, etc.)
In a separate malware analysis report, the researchers also note that the campaign was linked to two different malicious servers in Europe and another in China. Using such widespread infrastructure across the globe is an attempt “mislead the analysis” and “create confusion during the reconstruction of the complete cyber-attack,” the report states.
Z-Lab experts performed its investigation alongside the independent researcher known by the Twitter handle Drunk Binary (@DrunkBinary).
“In their analysis, the experts were not able to directly connect the malicious dll file to the XAgent samples, but they believe they are both parts of a well-coordinated surgical attack powered by APT28…” the blog post concludes.