APT28 Using Sofacy Backdoor to Evade Machine Learning

The Cylance Threat Research Team released a deep dive report into a piece of malware utilized by the APT28 cyber espionage group, also known as Fancy Bear.

The sample was originally uploaded to VirusTotal in May 2019 by US Cyber Command.

The malware, often referred to by legacy AV by the generic name Sofacy, is a backdoor, receives instructions from a C2 (command and control) site and is capable of uploading and downloading files that can create processes and execute a remote shell. It can also contact its C2 site on a predefined schedule, otherwise remaining apparently dormant. C2 communication occurs over port 443 (HTTPS) or port 80 (HTTP). As with many backdoors, it includes the ability to generate C2 host domain names for resiliency purposes.

As this APT malware is used as the initial infection on compromised systems, researchers believe the APT28 group has spent considerable time and effort developing it in an attempt to evade detection by products utilizing machine learning. Examples of this include using standard libraries and compilers, commonly used by benign software. The researchers believe 99% of the code appears to be benign, which may be an attempt to bias the result of detection engines using machine learning towards a benign determination.

When/How Did BluVector Detect It?

Despite the apparent machine learning detection countermeasures, this sample is detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown the sample would have been detected 13 months prior to its original release.

All Threat Reports