Cyber Command’s latest VirusTotal upload has been linked to an active attack

The malware has been linked with APT28, the same hacking group that breached the DNC during the 2016 election cycle.
U.S. Cyber Command, Gen. Paul Nakasone, NSA
Gen. Paul Nakasone, head of U.S. Cyber Command and the National Security Agency, speaks at the National Defense University in Washington, D.C. (National Defense University / Flickr)

The malware sample that U.S. Cyber Command uploaded to VirusTotal last week is still involved in active attacks, multiple security researchers tell CyberScoop.

Researchers from Kaspersky Lab and ZoneAlarm, a software security company run by Check Point Technologies, tell CyberScoop they have linked the malware with APT28, the same hacking group that breached the Democratic National Committee during the 2016 election cycle.

A variant of the malware is being used in ongoing attacks, hitting targets as recently this month. The targets include Central Asian nations, as well as diplomatic and foreign affairs organizations, Kaspersky Lab principal security researcher Kurt Baumgartner tells CyberScoop.

While ZoneAlarm can’t confirm the targets the attack is focused on, the company detected the specific malware hash in an active attack in the Czech Republic last week, Lotem Finkelsteen, Check Point’s Threat Intelligence Group Manager, tells CyberScoop.


“Although we cannot confirm such an attack, Finkelsteen said, referring to the Kaspersky intelligence, “we think it is possible APT28 manages several efforts simultaneously.”

Baumgartner did not share when APT28, also known as Sofacy or Fancy Bear, first started using the malware, but said the module was compiled last July.

Cyber Command, which shared the malware sample as part of its effort to boost information sharing, did not announce when it uncovered this particular malware sample and did not attribute it to any group.

When it was first posted to VirusTotal, Kaspersky Lab and ZoneAlarm were the only anti-virus engines that flagged the file as malicious. As of this article’s publication, 41 of the 71 engines tracked by VirusTotal detect the malicious file.

According to Kaspersky Lab, the malware resembles XTunnel, a tool APT28 used to breach the DNC in 2016. It also has a few components in common with SPLM/XAgent, according to Baumgartner.


ZoneAlarm research links the malware sample to XTunnel as well.

This variant is a departure from the norm for APT28, since it shows “very few similarities to the previous code” in the rest of the group’s arsenal, according to Baumgartner. He also said the malware is unusual because of how large the file is, coming in at over 3MB.

“For a couple years, [APT28] had minimized their XTunnel code to a very small size. Roughly under 25kb,” Baumgartner said. “It’s unusual for this group to push a large executable like this one.”

Evidence of Success

The malware-sharing program, launched last year and run out of Cyber Command’s Cyber National Mission Force (CNMF), is intended to bolster defenses against adversaries.


When VirusTotal users download malware from the platform they can conduct research to see what the malware has in common with other samples and whether anti-virus software can detect it.

“Recognizing the value of collaboration with the public sector, the CNMF is continuing to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity,” Joe Holstead, a Cyber Command spokesperson, told CyberScoop.

A former policy director at the National Security Council told CyberScoop exposing adversaries’ malware on VirusTotal can have a deterrent effect on adversaries.

“Will it cause them to stop in the near term? I doubt it,” the former NSC director said. “[Posting to VirusTotal] might cause them to work harder and be more selective in their use of tools and targets … but I don’t think they’re going to go away too easily.”

Brandon Levene, head of applied intelligence at Chronicle, which owns VirusTotal, says Cyber Command’s efforts help, but he wants the unit to share more context along with the samples.


“The more malware you have, the more TTPs [tactics, techniques, and procedures] you have, the better context that you can construct for yourself. Then you’re building investigations,” Levene told CyberScoop.

David Hogue, the senior technical director of the NSA’s Cybersecurity Threat Operations Center, said sharing more context, if possible, would be a good idea.

“My personal opinion is that would just be phenomenal,” Hogue said Tuesday in an interview with CyberScoop. “[The VirusTotal effort], we kind of did it to see if it worked, and now that we know it works from both a network defense standpoint and also from a generating goodwill in the cybersecurity community [standpoint] … I think now we take the next steps — do we start adding more context to it, how often do we do it, or how do we continue to improve?”

Although Cyber Command would not comment on attribution or when it uncovered the latest release, the majority of the samples the command has shared have been linked with Russia, according to cybersecurity researchers and VirusTotal.

Levene hopes that the command starts to move beyond Russia with the malware it shares.


“I would love to see a broader range of things being shared, especially given that there is a slight focus from them on APT28 or Sofacy,” Levene said. “NSA has named the big four [it focuses on] as Iran, North Korea, China and Russia and we’re only really seeing one prong of that.”

Correction: Lotem Finkelsteen is Check Point’s Threat Intelligence Group Manager.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts