Threat Defiance Report

Technical Follow Up - APT28 Malware Analysis

In May 2015, root9B released an APT28 Threat Defiance report (1) detailing pre-event indicators and threat information regarding a pending attack on several entities. This follow-up report is focused on providing additional insight and technical analysis of a malware sample that was originally reported.

Approximately 45 days after the release of the root9B report, Netzpolitik released a report on a breach of the German Parliament. The Netzpolitik report (2) detailed the malware and methods employed in the breach and attributed the event to APT28. The attack on the German Parliament used similar malware and the same command and control infrastructure that was identified in the original root9B report.

The following information is root9B’s malware analysis of the malicious Dynamic Link Library (DLL) noted in our May 2015 report and presents a strong link to the recovered malware sample reported in the German Parliament exploit. Both samples appear to have been created from the same code base and share the same command and control infrastructure. This report provides additional security measures to defend against this variant of the malware.

Throughout the report, “sample 1” refers to the Netzpolitik malware sample which was described in Claudio Guarnieri’s report. “Sample 2” refers to the .DLL sample of the malware analyzed by root9B.