Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Sofacy’s Flash Player Exploit Platform Exposed

Using weaponized Word documents as attachments to phishing emails is not a new attack method, but researchers have discovered an interesting variation: an RTF document with an embedded OLE Word document containing embedded Flash exploits. The purpose is to disguise the attack in layers of obfuscation.

Using weaponized Word documents as attachments to phishing emails is not a new attack method, but researchers have discovered an interesting variation: an RTF document with an embedded OLE Word document containing embedded Flash exploits. The purpose is to disguise the attack in layers of obfuscation.

Unit 42, the research team of Palo Alto Networks, recently discovered two variations of this attack, which it has named DealersChoice.A and DealersChoice.B. In both cases it believes the APT group variously known as Sofacy, APT28, Sednit, Fancy Bear and Tsar Team are behind the attacks.

Sofacy’s targets are usually politically motivated, and the group has been strongly linked to Russia. “Based on our telemetry, the attacks delivering DealersChoice documents occurred in August 2016 and focused primarily on organizations in countries that were part of the former Soviet republic,” reports Unit 42 in a blog post. “These malicious documents were delivered to a Ukrainian-based defense contractor as well as a Ministry of Foreign Affairs of a nation state in the same region, both via phishing attacks.”

DealersChoice.A is self-contained. Everything needed comes with the phishing email. In a sample analyzed by Unit 42, an email addressed to a Ukrainian-based defense contractor declared, “Attached you can find statement about possibility of Russian invasion of Ukraine.” The attached RTF file was the pasted copy of a genuine article that first appeared in the Irish Times eight days earlier.

The RTF loads an embedded Word document, which itself loads one of several embedded Flash files containing the exploit. Internal code checks the version of Flash in use, loads a relevant SWF file, exploits it, and delivers an embedded payload — a version of Carberp.

Unit 42’s analysis uncovered code that checked for Apple’s Mac OSX. This is redundant since the shellcode relies on Windows APIs and simply will not run under OSX. “While we cannot confirm this,” writes Unit 42, “it is possible that the threat actors could use DealersChoice.A to exploit and load an OSX Trojan if prepared with the appropriate shellcode.”

This would be consistent with Unit 42’s September discovery of Komplex— an OSX trojan believed to have been developed and used by Sofacy. It is clear that Sofacy has the expertise to attack both Windows and OSX.

DealersChoice.B, discovered in the same timeframe, is different. It is not self-contained. This one does not contain any Flash files, but rather checks a control server to download the relevant Flash file and payload. Unit 42 believes that the second is an evolutionary development from the first. For one thing, it reduces the size of the weaponized attachment that no longer has to contain multiple SWF files. The stated size on the covering email for DealersChoice.A is 398kb — which is very large for an RTF or Word document; possibly up to ten times the size that could be expected. This alone could trigger alarm bells to the recipient.

The researchers were unable to recover the delivered payload from DealersChoice.B and its C2 server, although the server itself has been linked to other Sofacy campaigns. Attempts to gather a payload returned an HTTP 503 error. However, the detail of the response showed the server using Squid. Unit 42 postulates “that the server is most likely set up as a transparent proxy to forward HTTP requests to another server. The use of this Squid proxy suggests the threat actors want to conceal the true location of their C2 server.”

Apart from unveiling a new attack methodology, the analysis “suggests that this threat group is capable of operating in both Windows and Apple environments,” concludes Unit 42. “Our analysis of DealersChoice has also led us to the discovery of a potential tiered infrastructure that leverages transparent proxies to hide the true location of Sofacy’s C2 servers.”

Sofacy is believed to have been involved in this year’s hacking of the Democratic National Committee (DNC), ultimately resulting in the US government accusing the Russian government of involvement. Last week, Kaspersky Lab suggested that the CyberCaliphate name used by the group that attacked and damaged a French television station (TV5Monde) last year is another alias used by Sofacy.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.