Posted on March 17, 2018 at 7:14 AM
Russian hacking group Sofacy is identified as responsible for hacking computers at a European government agency. Russian cybercriminals are becoming increasingly bold on the world stage, and researchers say that keeping organizations’ systems up to date goes a long way in preventing malicious access.
European government targeted by cybercriminals
Researchers at Palo Alto Networks have identified new activity from the Fancy Bear group, also known as Sofacy and APT28. According to researchers, the suspected Kremlin-linked organization was observed targeting a European government on March 12 and 14. The group was deploying a version of DealersChoice, which is a platform that exploits a vulnerability in Flash to delivery malicious trojan malware.
Though DealersChoice has been around for some time, this version has been updated to include a new evasion technique. Researchers say they had not previously seen the technique employed before the recent activity from Sofacy. In this technique, malware is not downloaded until the Flash object loads a specific page of a document used to deliver the trojan.
Fancy Bear delivers an enticing lure
The attacks initially began with spear-phishing emails. The emails were sent to government emails with the headline ‘Defence & Security 2018 Conference Agenda‘. Those emails contained an attachment, used to deliver the malware, of the same title. The attachment was an actual agenda from a real conference, and was likely chosen to increase the appearance of legitimacy, and thus bolster the open rate by targeted email users.
Once users open the attachment, the Flash object waits to run until the user has scrolled down to the third page. The approach seems like it might decrease the number of downloads because even if someone opened the doc, they mightn’t scroll through it. However, since the attackers spent the effort in selecting such a targeted document, it is clear that they tailored the trojan for very specific users. The agenda was an elaborate lure designed to get exactly the response desired.
Another reason to have the Flash object run on page three is that the DealersChoice loader is not activated until it appears on the screen. Embedding the object deeper in the document keeps it from triggering immediate detection. The Flash object would likely be something innocuous, like a punctuation mark, anyway. The human eye would miss it, but antiviruses would likely block the email if it were in the first few sentences of a document.
The Flash object itself needs to contact an active C2 server in order to do any real damage. Once activated, the object would download another Flash object that contains more malicious code; then the object would again contact the server for the rest of the payload. The scheme is likely so elaborate such that hackers can stealthily gain access and ability on the target system, enabling attackers to enact surveillance and espionage activities.
Basic security protocols will help protect against this kind of campaign
Researchers are reminding organizations to be sure that their systems are up to date. This most recent attack relied on vulnerabilities in an older version of Flash. The patch for this vulnerability has been available for months. Additionally, researchers are confident in trying this activity to Sofacy/Fancy Bear because of clues found in the attached document.
The last user to have modified the document is listed as Nick Daemoji, who has been listed as such in other campaigns by the organization. Distribution and delivery methods are also similar to other known Sofacy campaigns, expressly the use of customized lures such as documents relating to security and defense conferences.