Using weaponized Word documents as attachments to phishing emails is not a new attack method, but researchers have discovered an interesting variation: an RTF document with an embedded OLE Word document containing embedded Flash exploits. The purpose is to disguise the attack in layers of obfuscation.
Unit 42, the research team of Palo Alto Networks, recently discovered two variations of this attack, which it has named DealersChoice.A and DealersChoice.B. In both cases it believes the APT group variously known as Sofacy, APT28, Sednit, Fancy Bear and Tsar Team are behind the attacks.
Sofacy’s targets are usually politically motivated, and the group has been strongly linked to Russia. “Based on our telemetry, the attacks delivering DealersChoice documents occurred in August 2016 and focused primarily on organizations in countries that were part of the former Soviet republic,” reports Unit 42 in a blog post. “These malicious documents were delivered to a Ukrainian-based defense contractor as well as a Ministry of Foreign Affairs of a nation state in the same region, both via phishing attacks.”
DealersChoice.A is self-contained. Everything needed comes with the phishing email. In a sample analyzed by Unit 42, an email addressed to a Ukrainian-based defense contractor declared, “Attached you can find statement about possibility of Russian invasion of Ukraine.” The attached RTF file was the pasted copy of a genuine article that first appeared in the Irish Times eight days earlier.
The RTF loads an embedded Word document, which itself loads one of several embedded Flash files containing the exploit. Internal code checks the version of Flash in use, loads a relevant SWF file, exploits it, and delivers an embedded payload — a version of Carberp.
Unit 42’s analysis uncovered code that checked for Apple’s Mac OSX. This is redundant since the shellcode relies on Windows APIs and simply will not run under OSX. “While we cannot confirm this,” writes Unit 42, “it is possible that the threat actors could use DealersChoice.A to exploit and load an OSX Trojan if prepared with the appropriate shellcode.”
This would be consistent with Unit 42’s September discovery of Komplex— an OSX trojan believed to have been developed and used by Sofacy. It is clear that Sofacy has the expertise to attack both Windows and OSX.
DealersChoice.B, discovered in the same timeframe, is different. It is not self-contained. This one does not contain any Flash files, but rather checks a control server to download the relevant Flash file and payload. Unit 42 believes that the second is an evolutionary development from the first. For one thing, it reduces the size of the weaponized attachment that no longer has to contain multiple SWF files. The stated size on the covering email for DealersChoice.A is 398kb — which is very large for an RTF or Word document; possibly up to ten times the size that could be expected. This alone could trigger alarm bells to the recipient.
The researchers were unable to recover the delivered payload from DealersChoice.B and its C2 server, although the server itself has been linked to other Sofacy campaigns. Attempts to gather a payload returned an HTTP 503 error. However, the detail of the response showed the server using Squid. Unit 42 postulates “that the server is most likely set up as a transparent proxy to forward HTTP requests to another server. The use of this Squid proxy suggests the threat actors want to conceal the true location of their C2 server.”
Apart from unveiling a new attack methodology, the analysis “suggests that this threat group is capable of operating in both Windows and Apple environments,” concludes Unit 42. “Our analysis of DealersChoice has also led us to the discovery of a potential tiered infrastructure that leverages transparent proxies to hide the true location of Sofacy’s C2 servers.”
Sofacy is believed to have been involved in this year’s hacking of the Democratic National Committee (DNC), ultimately resulting in the US government accusing the Russian government of involvement. Last week, Kaspersky Lab suggested that the CyberCaliphate name used by the group that attacked and damaged a French television station (TV5Monde) last year is another alias used by Sofacy.