The threat actors powered spear phishing attacks between the discovery of the zero-days and the release of the security patches. This is what has happened between October and early November when the Pawn Storm APT targeted governments and embassies around the world.
The zero-days exploited by the Pawn Storm are the Adobe’s Flash CVE-2016-7855 flaw that was fixed on October 26, and the privilege escalation CVE-2016-7255 flaw in Windows OSthat was fixed on November 8, 2016.
After the CVE-2016-7855 was fixed, the Pawn Storm started to use it in several spear phishing campaigns against still-high-profile targets since October 28 until early November.
In November the Pawn Storm ATP launched spear-phishing campaigns against various governments leveraging on emails with the subject line “European Parliament statement on nuclear threats.” The attackers forged the email addresses of press officer working for the media relations office of the European Union.
When the victim clicks on the link in the spear-phishing e-mail is it redirected to a domain hosting the exploit kit of Pawn Storm.
The researchers also detected other spear-phishing attacks From October 28 until early November 2016, attackers leveraged on a fake invitation for a real “Cyber Threat Intelligence and Incident Response conference in November” organized by Defense IQ.
The spear-phishing e-mail contained an RTF (Rich Text Format) document called “Programm Details.doc.”
The document has an embedded Flash file (SWF_CONEX.A) that downloads additional files from a remote server.
“Apart from these two campaigns, several others were also launched by Pawn Storm in the period between the discovery of the zero-days and the release of Adobe’s and Microsoft’s patches on October 26 and November 8, 2016.” continues the analysis. “This shows that Pawn Storm ramped up their spear-phishing attacks shortly after its zero-days were discovered. Not all organizations may have been able to immediately patch Adobe’s Flash, and the Windows vulnerability wasn’t patched until November 8, 2016.”
The analysis also includes the IoC for the above attacks.
(Security Affairs – Pawn Storm APT, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.