Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Infamous Russian Hacking Group Used New Trojan in Recent Attacks

A well known Russian state-sponsored cyber-espionage group has used a new Trojan as a secondary payload in recent attacks targeting government entities around the globe, Palo Alto Networks reports. 

A well known Russian state-sponsored cyber-espionage group has used a new Trojan as a secondary payload in recent attacks targeting government entities around the globe, Palo Alto Networks reports. 

Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the Sofacy group is believed to have orchestrated the attacks targeting the 2016 presidential election in the United States. 

In recent years, the group has been focusing on Ukraine and NATO countries, and recent reports pointed at activity overlaps with other state-sponsored operations. 

In a report published today, Palo Alto Networks security researchers revealed that the group recently engaged in attacks targeting government entities in North America, Europe, and a former USSR state. 

As part of the attacks, the cyber-spies used documents mentioning the recent Lion Air disaster as a lure and delivered not only the previously documented Zebrocy Trojan, but also a new piece of malware called Cannon. 

The new Trojan, the researchers say, contains a novel email-based command and control (C&C) communication channel, likely in an attempt to decrease detection rates, given the common use of email in enterprises.

In an incident targeting a government organization dealing with foreign affairs in Europe, the attackers delivered a malicious Word document via spear-phishing emails. When opened, the document would load a remote template containing a malicious macro and payload.

The attackers used the AutoClose function for the macro, meaning that the malicious code would only be executed when the user closes the document. Once executed, the macro installs a payload and drops a document on the system. 

Advertisement. Scroll to continue reading.

The document is not displayed as decoy, but used to execute the payload instead, likely another evasion technique the document author wanted to use. The payload is a variant of the Zebrocy Trojan, which collects specific information from the target systems and sends it to the C&C. The server responds with a secondary payload. 

Another delivery document analyzed by the security researchers would drop the Cannon Trojan onto the target systems. Written in C#, the malware mainly functions as a downloader and relies on emails to communicate with the C&C server. 

The malware was mainly designed to exfiltrate system data using several email accounts, and ultimately obtain a payload from an email. 

The malware contains numerous functions to add persistence, gather system information, take a screenshot of the desktop, log into primary POP3 account and get secondary POP3 account, log into the primary POP3 account to get path for the downloaded attachment, log into the secondary POP3 account to download attachment, move the attachment and create a process with it.

The attacks show that Sofacy continues to target government organizations in the EU, U.S., and former Soviet states with both old and new tools. The attacks also revealed the use of remote templates, which makes analysis difficult, as an active C&C is needed to obtain the macro-enabled document, and the use of email for C&C communication, an old but effective tactic at evading detection. 

Related: Russian State-Sponsored Operations Begin to Overlap: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.