SkinnyBoy Malware

SkinnyBoy Malware Description

Infosec experts from the Cluster 25 threat research company uncovered a new spear-phishing campaign leveraged against strategic entities. As part of the attack chain, the researchers found a new malware threat that acted as a mid-stage downloader tasked with delivering the final threatening payload onto breached systems. Named SkinnyBoy, the malware has been attributed to be part of the harmful arsenal of the Russian-speaking APT28 gang. This particular threat actor also is being tacked under the names Fancybear, Sednit, Strontium, PwnStorm and Sofacy.

SkinnyBoy Characteristics

The SkinnyBoy attack begins with the delivery of bait phishing emails. Victims receive a fake invitation for an international scientific event that will supposedly take place in Spain, at the end of July. Attached to the email is a weaponized Microsoft document containing a corrupted macro. Upon its activation, the macro extracts a malware downloader in the form of a DLL file. 

SkinnyBoy is delivered next to the infected system. The threat arrives as a file named 'tpd1.exe.' Once initiated, SkinnyBoy attempts to establish a persistence mechanism by creating an LNK file under the Windows Startup folder.  Whenever the compromised system is next rebooted, the LNK gets triggered and starts looking for the main SkinnyBoy payload file 'TermSrvClt.dll.' It does so by scanning the SHA256 hash of every file stored in the C:\Users\%username%\AppData\Local location. 

The core task performed by SkinnyBoy is the delivery of the final payload on the infected systems. While present on the system, however, the threat will also gather specific information by exploiting the Windows tools 'syteminfo.exe' and 'tasklist.exe.' Data is collected from the following files and locations:

  • C:\Users\%username%\Desktop
  • C:\Program Files - C:\Program Files (x86)
  •  C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
  • C:\Users\%username%\AppData\Roaming
  • C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Templates
  • C:\Windows - C:\Users\user\AppData\Local\Temp

The information harvested by SkinnyBoy is then organized, encored in base64 format, and exfiltrated to the Command-and-Control servers of the operation. 

SkinnyBoy Victims

The SkinnyBoy malware has so far been deployed against a large set of potential victims. It appears that APT28 is targeting governmental agencies such as ministries of foreign affairs, defense industry entities, embassies, and military sector organizations mainly. While several of the victims were located in the European Union, APT28 may operate at a larger scale with the attack possibly impacting U.S. organizations as well.