Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Infamous Russian Hacking Group Used New Trojan in Recent Attacks

A well known Russian state-sponsored cyber-espionage group has used a new Trojan as a secondary payload in recent attacks targeting government entities around the globe, Palo Alto Networks reports. 

A well known Russian state-sponsored cyber-espionage group has used a new Trojan as a secondary payload in recent attacks targeting government entities around the globe, Palo Alto Networks reports. 

Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the Sofacy group is believed to have orchestrated the attacks targeting the 2016 presidential election in the United States. 

In recent years, the group has been focusing on Ukraine and NATO countries, and recent reports pointed at activity overlaps with other state-sponsored operations. 

In a report published today, Palo Alto Networks security researchers revealed that the group recently engaged in attacks targeting government entities in North America, Europe, and a former USSR state. 

As part of the attacks, the cyber-spies used documents mentioning the recent Lion Air disaster as a lure and delivered not only the previously documented Zebrocy Trojan, but also a new piece of malware called Cannon. 

The new Trojan, the researchers say, contains a novel email-based command and control (C&C) communication channel, likely in an attempt to decrease detection rates, given the common use of email in enterprises.

In an incident targeting a government organization dealing with foreign affairs in Europe, the attackers delivered a malicious Word document via spear-phishing emails. When opened, the document would load a remote template containing a malicious macro and payload.

The attackers used the AutoClose function for the macro, meaning that the malicious code would only be executed when the user closes the document. Once executed, the macro installs a payload and drops a document on the system. 

Advertisement. Scroll to continue reading.

The document is not displayed as decoy, but used to execute the payload instead, likely another evasion technique the document author wanted to use. The payload is a variant of the Zebrocy Trojan, which collects specific information from the target systems and sends it to the C&C. The server responds with a secondary payload. 

Another delivery document analyzed by the security researchers would drop the Cannon Trojan onto the target systems. Written in C#, the malware mainly functions as a downloader and relies on emails to communicate with the C&C server. 

The malware was mainly designed to exfiltrate system data using several email accounts, and ultimately obtain a payload from an email. 

The malware contains numerous functions to add persistence, gather system information, take a screenshot of the desktop, log into primary POP3 account and get secondary POP3 account, log into the primary POP3 account to get path for the downloaded attachment, log into the secondary POP3 account to download attachment, move the attachment and create a process with it.

The attacks show that Sofacy continues to target government organizations in the EU, U.S., and former Soviet states with both old and new tools. The attacks also revealed the use of remote templates, which makes analysis difficult, as an active C&C is needed to obtain the macro-enabled document, and the use of email for C&C communication, an old but effective tactic at evading detection. 

Related: Russian State-Sponsored Operations Begin to Overlap: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.