Sofacy, the Russian-speaking APT group connected to interference in the 2016 U.S. presidential election, has been targeting researchers, admins and others interested in cybersecurity.
Cisco’s security research arm Talos published a report on Sunday describing a campaign linked to Sofacy, also known as Fancy Bear and APT 28 among other names, using a decoy document related to the CyCon U.S. conference as a lure.
CyCon is marketed as an international conference on cyber conflict organized by NATO’s Cooperative Cyber Defense Center of Excellence, which is scheduled for Nov. 7 and 8 in Washington, D.C.
According to Cisco’s analysis of command and control traffic to the attacker’s server at myinfestgroup[.]com, traffic to the domain peaked on Oct. 7, three days after the lure document was created.
Cisco said the connection to Sofacy rests in the use of a dropper called Seduploader, used in other campaigns by the APT group. The group, however, has opted not to use exploits in this particular campaign and is instead relying on a macro embeddd in the lure document that grabs the dropper from the internet.
“This reconnaissance malware has been used by [Sofacy] for years and it is composed of 2 files: a dropper and a payload. The dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name, obfuscation keys,” Cisco said. “We assume that these modifications were performed to avoid detection based on public IOCs.”
The two-page lure document appears to be a direct copy-and-paste from material available on the conference website; the document contains the logo and sponsor information as well as pertinent information about the theme of the event. The attackers pasted it into a Word document and embedded the macro.
“The goal of this code is to get information from the properties of the document (“Subject”, “Company”, “Category”, “Hyperlink base” and finally “Comments”). Some of this information can be directly extracted from the Windows explorer by looking at the properties of the file,” Cisco said. “The “Hyperlink Base” must be extracted using another tool, strings is capable of obtaining this by looking for long strings. Pay close attention to the contents of these fields as they appear base64 encoded.”
The dropper used in this campaign is different from previous campaigns; Cisco said this one does not seek to elevate privileges, and it just executes the payload and sets up persistence mechanisms seen in previous campaigns.
Seduploader has numerous reconnaissance and espionage capabilities, most notably screenshot capture, data exfiltration, configuration, and the ability to download and execute code.
Cisco said the most noteworthy change in this campaign is the execution of the payload in a standalone mode.
“The reasons for this are unknown, but, we could suggest that they did not want to utilize any exploits to ensure they remained viable for any other operations,” Cisco said. “Actors will often not use exploits due to the fact that researchers can find and eventually patch these which renders the actors weaponized platforms defunct. Additionally the author did some small updates after publications from the security community, again this is common for actors of this sophisticated nature, once their campaigns have been exposed they will often try to change tooling to ensure better avoidance.”