Researchers: 'Roman Holiday' malware campaign appears to be Russia targeting Italian navy

News by Bradley Barth

The Russian threat group Fancy Bear appears to be behind a recent campaign that may have targeted Italy's navy with an updated version of the APT group's XAgent backdoor malware.

The Russian threat group Fancy Bear appears to be behind a recent campaign that may have targeted Italy's navy with an updated version of the APT group's XAgent backdoor malware, according to researchers.

Dubbed Roman Holiday, the campaign appears to also involve a malicious dll file that communicates with a command-and-control server bearing the name "" -- an apparent reference to the Italian Marina Militare, according to a 14 July blog post from the Z-Lab research division of Italian cyber-security firm CSE Cybsec.

Researchers at CSE Cybsec believe this dll could be a final-stage malware program that is triggered only under certain conditions, such as when the infected system has an IP address within a specified range. Moreover, the they suspect this dll is a component of the new XAgent variant, which emerged in the wild in June and affects Windows devices.

CSE Cybsec obtained the XAgent malware from a sample that was submitted to VirusTotal. The blog notes that the variant is downloaded from the internet as a second-stage malware, via a dropper program written in Delphi programming language -- a hallmark of Fancy Bear (aka APT28Pawn StormSednitSofacyStrontium, etc.)

In a separate malware analysis report, the researchers also note that the campaign was linked to two different malicious servers in Europe and another in China. Using such widespread infrastructure across the globe is an attempt "mislead the analysis" and "create confusion during the reconstruction of the complete cyber-attack," the report states.

Z-Lab experts performed its investigation alongside the independent researcher known by the Twitter handle Drunk Binary (@DrunkBinary).

"In their analysis, the experts were not able to directly connect the malicious dll file to the XAgent samples, but they believe they are both parts of a well-coordinated surgical attack powered by APT28..." the blog post concludes.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop