En Route with
eset-sednit-part-3
eset-sednit-part-3
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>En</strong> <strong>Route</strong> <strong>with</strong> Sednit<br />
Executive Summary<br />
The Sednit group — also known as APT28, Fancy Bear and Sofacy — is a group of attackers<br />
operating since 2004 if not earlier and whose main objective is to steal confidential information<br />
from specific targets.<br />
This is the third part of our whitepaper “<strong>En</strong> <strong>Route</strong> <strong>with</strong> Sednit”, which covers the Sednit group<br />
activities since 2014. Here, we describe a special downloader named Downdelph.<br />
The key points described in this third installment are the following:<br />
• Downdelph was used only seven times over the past two years, according to our telemetry<br />
data: we believe this to be a deliberate strategy formulated in order to avoid attracting<br />
attention<br />
• Downdelph has been deployed on a few occasions <strong>with</strong> a never-previously-documented<br />
Windows bootkit, which shares some code <strong>with</strong> the infamous Black<strong>En</strong>ergy malware<br />
• Downdelph has been deployed on a few occasions <strong>with</strong> a previously undocumented<br />
Windows rootkit<br />
For any inquiries related to this whitepaper, contact us at: threatintel@eset.com<br />
5