New Sofacy campaign aims at Government agencies across the world

Pierluigi Paganini December 14, 2018

Security experts at Palo Alto Networks uncovered a new espionage campaign carried out by Russia-Linked APT group Sofacy.

Russian Cyber espionage group Sofacy (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium)) carried out a new cyber campaign aimed at government agencies in four continents in an attempt to infect them with malware.

The campaign has been focusing on Ukraine and NATO members like it has done in past attacks.

Earlier December the group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU). In November experts at Palo Alto Networks documents a new malware, dubbed Cannon in attacks on government entities worlwide.

The latest campaign documented by Palo Alto Networks was carried out from mid-October through mid-November, attackers used both the
Zebrocy backdoor and Cannon Trojan. 

Researchers noticed that in all the attacks threat actors used decoy documents that have the same author name Joohn.

“The delivery documents used in the October and November waves shared a large number of similarities, which allowed us to cluster the activity together. Most notably, the author name Joohn was used repeatedly in each delivery document.” reads the analysis published by Palo Alto Networks.

“There was a slight deviation in the November grouping, where the three samples we collected still used the Joohn author name for the last modified field but reverted to a default USER/user author name for the creator field.”

Palo Alto Networks identified a total of 9 documents and associated payloads and targets.

Once opened a document, it will leverage the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document.

“If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session.” continues the report.

“The victim will then see a prompt to Enable Content as with any malicious macro document. If the C2 server is not active at this time, the download will fail and the victim will not receive a prompt to Enable Content as no macro is downloaded”

Sofacy bait

The latest Sofacy campaign hit targets around the world, including a foreign affairs organization in North America, foreign affairs organizations in Europe, as well as government entities in former USSR states. Experts also discovered evidence of possible targeting of local law enforcement agencies worldwide (i.e. North America, Australia, and Europe.) 

Palo Alto Networks reveals that, in addition to the delivery documents themselves, the remote templates too shared a common author name. The security researchers also noticed that the servers hosting the remote templates also hosted the C&C for the first-stage payloads.

Sofacy attackers used different variants of the Zebrocy malware and the Cannon backdoor. Palo Alto Networks identified a Cannon variant written in Delphi, variants of Zebrocy written in C# and VB.NET.

“The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques.” concludes the analysis.

“The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns,” 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –Sofacy, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment