Pierluigi Paganini November 13, 2016

The Pawn Storm APT group exploited some zero-days vulnerabilities in targeted attacks across the world before they get patched.

The Pawn Storm APT group, also known as APT28 and Fancy Bear, exploited some zero-days flaw in targeted attacks before they get patched.

The threat actors powered spear phishing attacks between the discovery of the zero-days and the release of the security patches. This is what has happened between October and early November when the Pawn Storm APT targeted governments and embassies around the world.

The zero-days exploited by the Pawn Storm are the Adobe’s Flash CVE-2016-7855 flaw that was fixed on October 26, and the privilege escalation CVE-2016-7255 flaw in Windows OSthat was fixed on November 8, 2016.

After the CVE-2016-7855 was fixed, the Pawn Storm started to use it in several spear phishing campaigns against still-high-profile targets since October 28 until early November.

In November the Pawn Storm ATP launched spear-phishing campaigns against various governments leveraging on emails with the subject line “European Parliament statement on nuclear threats.” The attackers forged the email addresses of press officer working for the media relations office of the European Union.

When the victim clicks on the link in the spear-phishing e-mail is it redirected to a domain hosting the exploit kit of Pawn Storm.

“The exploit kit will first fingerprint its targets with invasive JavaScript, which uploads OS details, time zone, installed browser plugins, and language settings to the exploit server. The exploit server may then send back an exploit or simply redirect to a benign server.” reads the analysis published by Trend Micro.

The researchers also detected other spear-phishing attacks From October 28 until early November 2016, attackers leveraged on a fake invitation for a real “Cyber Threat Intelligence and Incident Response conference in November” organized by Defense IQ.

The spear-phishing e-mail contained an RTF (Rich Text Format) document called “Programm Details.doc.”

The document has an embedded Flash file (SWF_CONEX.A) that downloads additional files from a remote server.

“Apart from these two campaigns, several others were also launched by Pawn Storm in the period between the discovery of the zero-days and the release of Adobe’s and Microsoft’s patches on October 26 and November 8, 2016.” continues the analysis. “This shows that Pawn Storm ramped up their spear-phishing attacks shortly after its zero-days were discovered.  Not all organizations may have been able to immediately patch Adobe’s Flash, and the Windows vulnerability wasn’t patched until November 8, 2016.”

The analysis also includes the IoC for the above attacks.

Pierluigi Paganini

(Security Affairs – Pawn Storm APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]