A hacking group is using updated cyber attacks in a campaign targeting a European government in what are likely to be continued attempts to conduct espionage and surveillance.
The latest campaign by the Fancy Bear group – also known as Sofacy and APT28 and believed to be linked to the Kremlin – has been uncovered by researchers at security company Palo Alto Networks, who observed a campaign taking place on March 12 then again on March 14.
In these attacks, the Sofacy group are employing an updated version of DealersChoice, a platform designed to exploit a Flash vulnerability in order to stealthily deliver a malicious payload in the form of trojan malware.
The updated incarnation of DealersChoice contains a new evasion technique which researchers say hasn’t been observed before – the Flash object only loads when a specific page of the malicious document used to do delivery the attack is viewed.
Attacks against the European government organisation – researchers haven’t specified which country the target is in – start with spear-phishing emails with the subject of “Defence & Security 2018 Conference Agenda” which contain a Word document, titled “Defence & Security 2018 Conference Agenda.docx”
Researchers note that the attackers have copied an agenda directly from a real conference taking place in the UK next week. It’s likely to have been selected to appeal to specially chosen targets within the target government.
If the user opens the Microsoft Word attachment, the Flash object containing an action script to attempt to install the malicious payload will only run if someone scrolls down to the third page of the document.
While this might seem to be a risky approach for the attackers – even if the user opens the document, they may not scroll through – researchers say it demonstrates how the attackers specially tailor the lures to be interesting for specific targets.
“This suggests that the Sofacy group is confident that the targeted individuals would be interested enough in the content to peruse through it,” said Robert Falcone, threat intelligence analyst at Unit 42.
Researchers say the reason the malicious Flash object doesn’t run until the user reaches the third page is because the DealersChoice loader SWF isn’t activated until it appears on screen – a tactic which aids the malicious payload avoid detection.
It exists in the form of a tiny Flash object which word displays as a small black dot – something which users may not give much thought about.
Once activated, this Flash object needs to contact an active C2 server to download an additional Flash object containing additional exploit code and following that, the object will contact the same C2 sever for additional code.
If previous Russian hacking campaigns are anything to go by, the ultimate goal of the attack is to stealthily compromise the system and allow attackers to conduct surveillance and espionage.
The attack working relies on the victim running a vulnerable version of Flash, which serves as a reminder to organisations that they should ensure systems are patched as soon as possible to avoid compromise. In this instance, a patch to close the Flash security holes has been available for months.
Unit 42 has linked this campaign to Sofacy because of clues in the delivery document. The lure is listed as last modified by a user named ‘Nick Daemoji’, which has been the case in previous Sofacy/Fancy Bear campaigns.
The distribution tactics are also similar to other campaigns by Sofacy, which have previously lured victims with the use of documents relating to security and defence conferences.
READ MORE ON CYBER CRIME