Fancy Bear hackers' cyber assaults continue as researchers uncover evidence of fresh attacks. The Kremlin-linked hacker group is now going after targets in fresh phishing attacks using US President Donald Trump's actions against Syria as bait to lure victims into clicking on malicious email attachments.
The hacker group, also known as APT28, Sofacy and Sendit among others, has targeted key international governments in a number of cyberespionage campaigns over the past year. Fancy Bear is believed to have been active since 2004. Experts indicated that the group may also have been involved in the recent email hack and leaks that affected the newly elected French President Emmanuel Macron's political campaign.
Security researchers from ESET noted that at the time when the hacker group was believed to be targeting attacks to allegedly interfere with the French election, Fancy Bear hackers were simultaneously involved in a separate phishing campaign that used 'Trump's attack on Syria' as bait.
The researchers said the bait came with two Windows zero-day exploits that allowed for the group's malware "Seduploader" to infect the system.
"Seduploader Payload is a downloader used by Sednit's operators as reconnaissance malware," the ESET researchers said.
They said that apart from adding two new zero-day exploits, Fancy Bear hackers also updated their malware with other features such as screen-grabbing. Such features can come in useful to cyberespionage actors when working surreptitiously to retrieve classified information.
"This campaign shows us that Sednit has not ceased its activities," the ESET researchers said. "They still keep their old habits: using known attack methods, reusing code from other malware or public websites, and making small mistakes such as typos in Seduploader's.
"Also usual is the fact that they once again improved their toolset, this time adding some built-in features such as the screenshotter and integrating two new 0day exploits into their arsenal."
Meanwhile, the two zero-day exploits that the group had added to its arsenal have been patched by Microsoft in its scheduled Tuesday Patch update. While one had affected Microsoft Word documents, the other was for a local privilege escalation in Windows.
ESET's analysis of the recent phishing campaign refrained from mentioning who Fancy Bear's targets were and if the hacker group was successful in infiltrating systems. IBTimes UK has reached out to ESET for further clarity on the matter and will update this article in the event of a response.