Fancy Bear
Fancy Bear, APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team, STRONTIUM is likely Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. The group targets governments, security organizations and NATO countries.
LoJax
LoJax is an UEFI bootkit.
EFI: 81e96c07e6c9cb02f72c0943a42ff9f8f09a09c508f8bbaa1142a9ee4f1326cf
Kernel: d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d
Agents:
dcbfd12321fa7c4fa9a72486ced578fdc00dcee79e6d95aa481791f044a55af3
3f48dbbf86f29e01809550f4272a894ff4b09bd48b0637bd6745db84d2cec2b6
6d626c7f661b8cc477569e8e89bfe578770fca332beefea1ee49c20def97226e
aa5b25c969234e5c9a8e3aa7aefb9444f2cc95247b5b52ef83bf4a68032980ae
XAgent
XAgent is a modular backdoor: functionalities are provided by plug-ins.
b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6
fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5
b771267551961ce840a1fbcd65e8f5ecd0a21350387f35bbcd4c24125ec04530
Komplex is a modular backdoor for macOS that is developed in a similar fashion to XAgent
96a19a90caa41406b632a2046f3a39b5579fbf730aca2357f84bf23f2cbc1fd3
XTunnel
XTunnel is an obfscating network proxy that can relay traffic between a C2 server and a victim. It uses TLS, but is able to fallback on unencrypted channels.
4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976
be2e58669dbdec916f7aaaf4d7c55d866c4f38ac290812b10d680d943bb5b757
4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976
Implant: 40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f
Go
The group uses multiple languages to create their trojans, probably to impair detections.
https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/
93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa
Cannon
Cannon is a trojan that uses email protocols for reconnaissance communications. It can download and execute a payload.
aeaca9985b50ebe1db0fcda9b3fbf02275d17737b748963b63c14da3e988d801
Various Implants
01bca6481a3a55dc5de5bfa4124bba47d37018d8ee93e5dbb80a60a14f243889
0320298eea0206b71d12f3a69730bbbec9768c5c323dfe131047f7ba4f4a8868
044f8ab501090fd77ae6e9ebf57e7fba9041be7ab986ce58f38583f4839a5126
121407a9bced8297fbbdfb76ae79f16fe9fa0574deee21a44dfb56d5b1deb999
19be1aedc36a6f7d1fcbd9c689757d3d09b7dad7136b4f419a45e6187f54f772
1aa4ad5a3f8929d61f559df656c84326d1fe0ca82a4be299fa758a26e14b1b27
1de6d9db409bef73e3585fc08f98b30e2757ec87830e6f84ba85c39210aa962b
489a1b13b5ec415f24bc4f1b4ed6c6e0bdc50ae95513645a839655bc75d4d9d6
5b52bc196bfc207d43eedfe585df96fcfabbdead087ff79fcdcdd4d08c7806db
6f2589be92c2d0fa6050e52fbedb967c2590a8abbc4a9459fb7f78bc52407195
854a522a113b6413ff4db5f0ba0aec98cba3c5ef386311660f6dabab26f6aa14
88a47fe9da15241b41770d26c880dd9843b1d37ff39cce3cd09e7e78f8501934
963c3bf38e90c2971e6875490e9d2393b9567f5cc3ee5e4c098b988bd2b852c5
a5b68575ac4fbe83c23ff991ad0d5389f51a2aef71ee3c2277985c68361cf1cc
dea3a99388e9c962de9ea1008ff35bc2dc66f67a911451e7b501183e360bb95e
e05de3e4a03369192856a167f2865eab3062a102b23bfdde5c0f622b39cd159a
e2bea753318d715dfc2f186c49ae3e9c404d0f5df52e959ea546f78a3624bc3b
e2f3caade127e855fdec68faf8eea845fed9ae98ea17cd74644e57de91fb6e11
fd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5
Cozy Bear
CozyBear, CozyDuke, APT29, IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes is likely Russia’s Foreign Intelligence Service (SVR). The group targets government networks in Europe and NATO member countries, research institutes, and think tanks.
MiniDuke
MiniDuke is a toolset consisting of multiple droppers, loaders and implants.
dd215d76bcfd72ebcfb50ccfeb9fb1703af4bbf4821de225009f43fc4e08e432
c485cbcd5b21db8029654bd47879f086feed41492aebed33a9afe9d73f5069e7
Implants:
b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae
6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536
Trojan: 01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9
Agent: 43cd9ef6904c35c6854bf59d99731a05048af9e870261064a255db0181930fad
Other Implants
b101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae
6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05
2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
Energetic Bear
Energetic Bear, TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY is likely Russia’s Federal Security Service (FSB) Center 16. The group targets defense and aviation companies, ICS and critical infrastructure.
49ea7a8eacaf7a6988ce73362dd515835aaee1a87da9a663f7e1619b788081bc
4a753bce8a3a802246230a793599c00778328a02173e56563245cefb6b79fc9a
501addba8dca294be2ed39bffbd8927652672306e0c9181a7f9b7e66715aa626
5bc56078af7bed0447796450b847b90a598d8a36bf2811d6b461d4f0fe597a72
SSHd: 64a186acc13fd08ccc250f1e20880fe6bb9a053a3ad82c288bbc9d7150404be3
Downloader: cb3306aecb05fccaac51a036f361991745a4ef90d8d9ec713d783c88605ea556
Voodoo Bear
Voodoo Bear, ELECTRUM, Telebots, IRON VIKING, Black Energy, Quedagh is likely Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.
9e9a6f1d046e0f5da10aa0e18bba248df4f818d342ed359c35fdb000f1354819
Grey Energy
Grey Energy is the successor to Voodoo Bear, which “dissolved” after terrorizing Ukraine. It’s also closely related to TeleBots, responsible for NotPetya.
1b17ce735512f3104557afe3becacd05ac802b2af79dab5bb1a7ac8d10dccffd
1bb78a73f28617bf8209dae0be4ced07dcd44420b541d7147a0f978237f9b3e2
6c52a5850a57bea43a0a52ff0e2d2179653b97ae5406e884aee63e1cf340f58b
8c3f4d8c90ba7124591f6d4a4b739f63179c220bb7cd6ce10752b13cecefa574
b60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22