APT28 Unleashes the SkinnyBoy Malware
The Russian Advanced Persistent Threat (APT) group, tracked under the aliases APT28 or Fancy Bear, has recently released a new piece of malware into the wild. The malware, dubbed SkinnyBoy, was used against several government institutions in 2021. The criminals appear to have targeted entities associated with foreign affairs, military and defense, and foreign embassies. While some of the attacks targeted members of the European Union, the SkinnyBoy Malware was also discovered on compromised networks belonging to United States organizations.
But what does the SkinnyBoy Malware do exactly? This threat is typically delivered through a spear-phishing email, which carries a Microsoft Word document. While the file attachment may look legitimate, it actually packs a malicious script, which extracts and initializes a malware downloader. The criminals are likely to change their phishing email based on the recipient – they often pretended to notify the user of a pending invitation to an upcoming international event.
After the threat is deployed successfully, it will not launch immediately. Instead, the SkinnyBoy Malware will program Windows to start it the next time it boots up. The delayed execution is a typical trick that cybercriminals use to avoid detection. Once running, the SkinnyBoy Malware will utilize legitimate Windows features to fetch data about the compromised system's software configuration – systeminfo.exe and tasklist.exe. Apart from this, it will try to download and launch additional payloads, but so far, these have not been identified.
It seems that the SkinnyBoy Malware's primary focus is espionage and gaining more control over the compromised system/network. Thankfully, antivirus product vendors are already aware of the new threat, and the latest patches to their software should be more than enough to deter SkinnyBoy Malware's attack.