A well known Russian state-sponsored cyber-espionage group has used a new Trojan as a secondary payload in recent attacks targeting government entities around the globe, Palo Alto Networks reports.
Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the Sofacy group is believed to have orchestrated the attacks targeting the 2016 presidential election in the United States.
In a report published today, Palo Alto Networks security researchers revealed that the group recently engaged in attacks targeting government entities in North America, Europe, and a former USSR state.
As part of the attacks, the cyber-spies used documents mentioning the recent Lion Air disaster as a lure and delivered not only the previously documented Zebrocy Trojan, but also a new piece of malware called Cannon.
The new Trojan, the researchers say, contains a novel email-based command and control (C&C) communication channel, likely in an attempt to decrease detection rates, given the common use of email in enterprises.
In an incident targeting a government organization dealing with foreign affairs in Europe, the attackers delivered a malicious Word document via spear-phishing emails. When opened, the document would load a remote template containing a malicious macro and payload.
The attackers used the AutoClose function for the macro, meaning that the malicious code would only be executed when the user closes the document. Once executed, the macro installs a payload and drops a document on the system.
The document is not displayed as decoy, but used to execute the payload instead, likely another evasion technique the document author wanted to use. The payload is a variant of the Zebrocy Trojan, which collects specific information from the target systems and sends it to the C&C. The server responds with a secondary payload.
Another delivery document analyzed by the security researchers would drop the Cannon Trojan onto the target systems. Written in C#, the malware mainly functions as a downloader and relies on emails to communicate with the C&C server.
The malware was mainly designed to exfiltrate system data using several email accounts, and ultimately obtain a payload from an email.
The malware contains numerous functions to add persistence, gather system information, take a screenshot of the desktop, log into primary POP3 account and get secondary POP3 account, log into the primary POP3 account to get path for the downloaded attachment, log into the secondary POP3 account to download attachment, move the attachment and create a process with it.
The attacks show that Sofacy continues to target government organizations in the EU, U.S., and former Soviet states with both old and new tools. The attacks also revealed the use of remote templates, which makes analysis difficult, as an active C&C is needed to obtain the macro-enabled document, and the use of email for C&C communication, an old but effective tactic at evading detection.