Threat Management, Threat Management, Threat Intelligence, Malware

Researchers: ‘Roman Holiday’ malware campaign appears to be Russia targeting Italian navy

The Russian threat group Fancy Bear appears to be behind a recent campaign that may have targeted Italy's navy with an updated version of the APT group's XAgent backdoor malware, according to researchers.

Dubbed Roman Holiday, the campaign appears to also involve a malicious dll file that communicates with a command-and-control server bearing the name “marina-info.net” -- an apparent reference to the Italian Marina Militare, according to a July 14 blog post from the Z-Lab research division of Italian cybersecurity firm CSE Cybsec.

Researchers at CSE Cybsec believe this dll could be a final-stage malware program that is triggered only under certain conditions, such as when the infected system has an IP address within a specified range. Moreover, the they suspect this dll is a component of the new XAgent variant, which emerged in the wild in June and affects Windows devices.

CSE Cybsec obtained the XAgent malware from a sample that was submitted to VirusTotal. The blog notes that the variant is downloaded from the internet as a second-stage malware, via a dropper program written in Delphi programming language -- a hallmark of Fancy Bear (aka APT28, Pawn Storm, Sednit, Sofacy, Strontium, etc.)

In a separate malware analysis report, the researchers also note that the campaign was linked to two different malicious servers in Europe and another in China. Using such widespread infrastructure across the globe is an attempt "mislead the analysis" and "create confusion during the reconstruction of the complete cyber-attack," the report states.

Z-Lab experts performed its investigation alongside the independent researcher known by the Twitter handle Drunk Binary (@DrunkBinary).

"In their analysis, the experts were not able to directly connect the malicious dll file to the XAgent samples, but they believe they are both parts of a well-coordinated surgical attack powered by APT28..." the blog post concludes.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds