Latest APT 28 Campaign Incorporates Fake EFF Spearphishing Scam

An attack that uses the same path names, Java payloads, and Java exploit as one earlier this summer was found leveraging a fake EFF site.

Attackers, possibly associated with the Russian government, registered a phony Electronic Frontier Foundation domain earlier this month in an attempt to dupe users into thinking correspondence from the site was coming from the well-known privacy watchdog.

The scheme, largely carried out via spear phishing, appears to be part of a larger campaign previously dubbed Pawn Storm.

According to a blog post by the EFF’s Cooper Quintin on Thursday the fake domain – – was registered more than three weeks ago and quickly used as part of an attack alongside a recently patched Java zero day.

Oracle patched the vulnerability, along with 200 other bugs, last month as part of its quarterly critical patch update, but that apparently hasn’t stopped the group, also known as APT 28, from carrying out attacks.

For this one, Quintin claims spear phishing emails were sent to targets that contained links to the malicious, fake EFF site. Once clicked on, the site redirects the user to another page on the fake site that contains a Java applet. Assuming the user is running an old, vulnerable version of Java, it’s exploited and the attacker is granted free reign to their machine.

“The attacker, now able to run any code on the user’s machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target’s computer,” Quintin writes.

The EFF believes that the path and filename used in the exploit are the same as those used in other attacks carried out by Pawn Storm, particularly Sednit. The Sednit payload, which was analyzed earlier this summer, downloads a .DLL file, which is executed and opens a backdoor to several attacker-controlled domains that exfiltrate data.

Pawn Storm, which was given the moniker APT 28 in a 2014 FireEye report, has been active for years now, but most recently made headlines for carrying out a slew of attacks earlier this summer, including exploiting zero days in Flash, Microsoft, and Java. The FireEye report noted that the attackers operated during business hours, on Moscow time, and use phishing that targets “privileged information related to governments, militaries and security organizations that would likely benefit the Russian government.”

The zero day in Java was actually the first in quite some time, more than two years, found plaguing the platform. Oracle claimed when it was patched, the vulnerability was being used to exploit a U.S.-based defense contractor and foreign military outfits. The group has also been seen carrying out attacks on NATO forces and White House staff in the past.

The EFF is warning that users who haven’t patched the vulnerability in Java are still susceptible and that while the phishing domain has been reported for abuse, it hasn’t been taken offline yet.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.