APT28 is a malware tool developed by a Russian cyber espionage group. A complete attack scenario with APT28 has multiple malware stages, such as Sourface/Coreshell, Eviltoss, and Chopstick. An attacker using the APT28 malware could persuade a trusted user to open a malicious document that includes a Sourface downloader, which downloads the Chopstick second-stage malware. This malware could allow the attacker to obtain sensitive information from the targeted system. A successful exploit could be used to conduct further attacks.
Reports indicate that this malware was used to conduct attacks against the following countries and organizations:
Georgia and the Caucasus
Eastern European Governments and Militaries
- Ministry of Internal Affairs
- Ministry of Defense
- Journalist writing on Caucasus issues
- Kavkaz Center
- Polish government
- Hungarian government
- Ministry of Foreign Affairs in Eastern Europe
- Baltic Host exercises
Chopstick is a back door that uses a modularized, object-oriented framework written in C++. This back door may communicate with external servers using SMTP or HTTP protocols.
Chopstick works in a different modules. each module performs different tasks, such as collecting detailed information from the targeted host including the Windows version, CPU architecture, Windows Firewall state, and User Account Control (UAC) configuration settings on Windows operating system. All this information is stored in a hidden .tmp
file in the directory: %ALLUSERSPROFILE% .
Chopstick creates a new window mail slot and a new thread to capture dynamic information including desktop capturing, current window tracking, periodic keystroke collection, and message reading from the mail slot. This information is stored in a .tmp
file using RC4 encryption.
Users are advised to use the following workarounds to help protect against this malware:
Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.
Users should verify that unsolicited links are safe to follow.
Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations.
Users are advised to use caution when downloading and installing software.