SoreFang is the name of a hacking tool that has been developed by the infamous Cozy Bear hacking group. This hacking group originates from Russia and is known under the APT29 (Advanced Persistent Threat), Cozy Dukes, The Duke, and Office Monkeys aliases. APT29 tends to target high-profile institutions and individuals. These hackers have been around since 2008, but they remain active to this day.
One of the latest campaigns of the Cozy Bear hacking group targets medical facilities in Canada, the United States, and the United Kingdom. The Cozy Bear group appears to be going after specific faculties, that are responsible for carrying out research regarding the Coronavirus. This leads malware experts to believe that this may be an elaborate reconnaissance operation. APT29 appears to be planting one of three hacking tools on the compromised hosts.
The three hacking tools involved in Cozy Bear's latest campaign are called SoreFang, WellMess, and WellMail. The SoreFang malware is a hacking tool used in older APT29 campaigns. However, in the latest APT29 operation, the SoreFang threat has been stripped from most of its modules and features. In this campaign, the SoreFang malware is mainly used to inject additional payloads in the compromised system. The SoreFang threat is also used to collect data regarding the host, which is then stored in a file and transferred to the attackers' C&C (Command & Control) server. The SoreFang malware is delivered on the targeted host via vulnerabilities that are present in Internet-enabled services on the system that the attackers are targeting. This points to the manual deployment of the SoreFang threat. Cybersecurity analysts believe that the SoreFang malware may be targeting specific devices that are manufactured by the SangFor company.
The Cozy Bear hacking group should not be underestimated. Some researchers believe that APT29 may be carrying out campaigns on behalf of the Russian government.