A recent campaign attributed to the Russian cyber-espionage group Sofacy hit government agencies in four continents in an attempt to infect them with malware, Palo Alto Networks security researchers say.
Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the Russian state-sponsored hacking group has been focusing on Ukraine and NATO countries in recent years, and the new attacks are no different. The actor is also believed to have targeted the 2016 presidential election in the United States.
Last month, Palo Alto Networks revealed that the group had used a new Trojan called Cannon in attacks on government entities around the globe. Now, the security company has shared additional information on the campaign, which was carried out from mid-October through mid-November, and which employed both Cannon and the previously dissected Zebrocy backdoor.
The common denominator in these attacks is the use of delivery documents that have the same author name: Joohn. Palo Alto Networks identified a total of 9 such documents, along with payloads, and targets associated with this campaign, and says spear-phishing was used for delivery.
The malicious documents used a remote template function in Word to retrieve a malicious macro from the first stage command and control (C&C) server and to load and execute an initial payload. A generic lure image in the documents would request the victim to enable macros.
The delivery documents were sent to a multitude of organizations around the world, including a foreign affairs organization in North America, foreign affairs organizations in Europe, and government entities in former USSR states. Local law enforcement agencies in North America, Australia, and Europe, and NGOs, marketing firms, and organizations in the medical industry might have been targeted too.
In October, the attackers apparently relied heavily on filenames to trick victims into opening the malicious documents. The used topics ranged from Brexit to the Lion Air crash, and recent rocket attacks in Israel. In November, non-generic lure content was used in the weaponized documents.
Palo Alto Networks reveals that, in addition to the delivery documents themselves, the remote templates too shared a common author name. The security researchers also noticed that the servers hosting the remote templates also hosted the C&C for the first-stage payloads.
Because all the C&C servers used in the campaign were IP-based, the security researchers could not identify overlaps or relationships with previous Zebrocy or Sofacy infrastructure.
Four of the identified delivery documents were initially created in September, but modified in mid-October, and all were seen in the wild roughly two weeks later. This would suggest the attack wasn’t ready for deployment, or the attackers were looking to perform their assault at a specific time. The attack window, however, is directly linked to the last time the templates were modified.
The attacks delivered different variants of the Zebrocy Trojan, a first-stage tool, and the Cannon backdoor. The researchers also discovered a Cannon variant written in Delphi, and C# and VB.NET variants of Zebrocy.
“The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques. […] The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns,” Palo Alto Networks concludes.
Related: Infamous Russian Hacking Group Used New Trojan in Recent Attacks
Related: Russian State-Sponsored Operations Begin to Overlap: Kaspersky