Russia-linked Sofacy APT group adopts new tactics and tools in last campaign

Pierluigi Paganini June 07, 2018

Sofacy APT group (APT28Pawn StormFancy BearSednitTsar Team, and Strontium) continues to operate and thanks to rapid and continuously changes of tactics the hackers are able to remain under the radar.

According to experts from Palo Alto Networks, the hackers also used new tools in recent attacks, recently the APT group has shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

Back to the present, the Sofacy APT group is using a new version of the Zebrocy backdoor written in a C++, attackers adopted the Dynamic Data Exchange (DDE) attack technique to deliver malware.

The DDE attack technique was exploited to deliver payloads such as the Zebrocy backdoor and the open-source penetration testing toolkit Koadic.

This is the first time that the Russian APT uses the Koadic tool.

“Following up our most recent Sofacy research in February and March of 2018, we have found a new campaign that uses a lesser known tool widely attributed to the Sofacy group called Zebrocy. Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments.” reads the analysis published by Palo Alto Networks.

“This third campaign is consistent with two previously reported attack campaigns in terms of targeting: the targets were government organizations dealing with foreign affairs. In this case however the targets were in different geopolitical regions.”

Palo Alto noticed a change in the tactics used by the hackers, instead of targeting a handful of employees within an organization, they sent phishing messages to “an exponentially larger number of individuals” within the same organization.

Attackers obtained the list of individuals’ emails with simple queries to search engines, this method is also a novelty for the Sofacy APT group.

The researchers linked this campaign to previous attacks, in February Palo Alto Networks reported the Sofacy APT group was hiding infrastructure using random registrant and service provider information in each attack.

“In our February report, we discovered the Sofacy group using Microsoft Office documents with malicious macros to deliver the SofacyCarberp payload to multiple government entities.” continues Palo Alto.

“In that report, we documented our observation that the Sofacy group appeared to use conventional obfuscation techniques to mask their infrastructure attribution by using random registrant and service provider information for each of their attacks. In particular, we noted that the Sofacy group deployed a webpage on each of the domains.”

Sofacy APT

The investigation on this campaign allowed the experts to discover another campaign leveraging the DealersChoice exploit kit and a domain serving the Zebrocy AutoIT downloader.

The version of Zebrocy downloader delivered by this domain is the new one written in C++, the downloader was used to spread the Delphi backdoor hosted at IP address 185.25.50[.]93.

The experts discovered the following hard-coded user agent being used by many samples of Zebrocy targeting the foreign affairs ministry of a large Central Asian nation:

Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko

The experts found two weaponized Office documents implementing the DDE attack technique, the malicious files were used in attacks against a North American government organization dealing with foreign affairs.

Further details, including IoCs are reported in the analysis published by Palo Alto Networks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Sofacy APT group, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

 



you might also like

leave a comment