HackDig : Dig high-quality web security articles for hackers

CSE CybSec ZLAB Malware Analysis Report: APT28 Hospitality malware

2017-10-05 17:05

The CSE CybSec Z-Lab Malware Lab analyzed the Hospitality malware used by the Russian APT28 group to target hotels in several European countries.

The Russian hacker group APT28, also known as Sofacy or Fancy Bear, is believed to be behind a series of attacks in last July against travelers staying in hotels in Europe and Middle East.

This attack is performed by sending spear phishing emails to the victims, masquerading as a hotel reservation form that, if opened and macros are enabled, installs a malware in the machine’s victim.

Why should Fancy bear do this? According to FireEye and other security firms, Sofacy is a cyberespionage group and a good tool to get info about people (possibly businessmen and politicians) hosted in important hotels, is to deceive them to install a spyware with a Command and Control that monitors the actions of all the victims.


Figure 1 – Screen of Word dropper.

The above figure shows an example of the weaponized document used by hackers as an attachment in spear phishing emails. The document contains a payload achievable when macro is enabled. In fact, the macro is a Visual Basic script used to decode the malicious payload and to create a series of files, according to the following scheme:

Figure 2 – Files’ creation and execution scheme

The file “mvtband.dat” is the core of the malware that contains a C2C client, which tries to connect to servers, “mvtband.net” and “mvband.net” in order to send the info gathered about the victim’s host and receive new commands to execute on it. In particular, the malware contacts these C&C servers with POST request on a random path. The body contains some info, among them the list of the executing processes, info about system settings, browser preferences, encrypted using its own algorithm. Moreover, from our advanced analysis, we discovered that Hospitality Malware takes screenshots of the machine that most likely it sends to the C2C together with other info. But, nowadays, these servers are blacklisted so we can’t analyze all the complete behavior of Hospitality Malware.

You can download the full ZLAB Malware Analysis Report at the following URL:


About the author: Antonio Pirozzi

Principal Malware Scientist and Senior Threat Researcher for CSE CybSec Enterprise spa

Actually, he holds more than 10 Infosec International Certification, from SANS, EC-Council and Department of Homeland Security.
His experience goes beyond the classical Computer Security landscape, he worked on numerous projects on GSM Security, Critical Infrastructure Security,  Blockchain Malware, composition malware, malware evasion.

Pierluigi Paganini

(Security Affairs – hospitality malware, Fancy Bear)

The post CSE CybSec ZLAB Malware Analysis Report: APT28 Hospitality malware appeared first on Security Affairs.

Source: lmth.erawlam-ytilatipsoh-82tpa-balz-esc/2-erafraw-rebyc/53836/sserpdrow/oc.sriaffaytiruces

Read:4173 | Comments:0 | Tags:APT Breaking News Cyber warfare Malware APT28 cyber espionag

“CSE CybSec ZLAB Malware Analysis Report: APT28 Hospitality malware”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud