Hackers are now targeting system administrators, researchers and other parties interested in cybersecurity using malware-laden documents, Cisco Talos researchers warn.
Sofacy, a Russian hacking group also known as Tsar Team, APT28, Fancy Bear or Group 74, has been running a malware campaign that targets security experts.
The Cisco Talos researchers report that Sofacy, the hacking group which was allegedly linked to interference in the 2016 United States presidential election, was using a fake Cyber Conflict U.S. conference document as a lure.
Cyber Conflict (CyCon) is an international cyber conflict conference organized by the North Atlantic Treaty Organization (NATO).
The conference, scheduled by NATO’S Cooperative Cyber Defense Center of Excellence (CCDCOE), will be taking place on November 7 and 8 in Washington D.C.
The Sofacy hacking collective sent online security professionals a decoy promotional email related to the conference, but it contained a malicious document.
The email was customized with logos and verbiage from NATO’s conference website hoping it would create a semblance of authenticity.
However, Cisco Talos researchers noted that the two-page document named “Conference_on_Cyber_Conflict.doc” contained a malicious Visual Basic Applications macro code.
While the document is not from the real conference organizers, the information it contains is ripped from their website content.
Previously, the group has been using zero-day attacks and office exploits for their malware campaigns. From the nature of this attack, it is now evident that Sofacy is targeting professionals interested and linked to cybersecurity.
Researchers from Cisco’s arm of research, Talos, conducted an in-depth analysis of commands and traffic control in the attackers’ central server at myinfestgroup.com.
They discovered a random increase of incoming traffic on October 7, three days after the malicious email was created and the malware campaign commenced.
Cisco attributes previous connection to Sofacy’s domain to the use of a dropper or malware called Seduploader.
This malware, which was developed for espionage purposes, can capture screenshots, gather data, execute code, download files and do much more without the victim’s knowledge.
This suggests its primary goal is stealing information. The group, however, opted to use an advanced strain of the malware in this particular campaign.
They embedded a macro code on the false word document which would, in turn, grab the Seduploader malware from the internet.
Sofacy has been using this snooping malware for several years. The malware contains two key files—a payload and a dropper, which are both modified to avoid possible detection by online security experts.
Cisco Talos reports that the files were similar to previous versions but with a slight difference in public information including the MUTEX name and obfuscation keys.
The researchers said that modification to these files would enable the hacking group to complete the campaigns without getting noticed by the public.
The Cisco researchers added that the goal of the malicious code is to get information from the document properties which include the company, subject, hyperlink base, category and comments from participants.
The code can potentially extract such data from the Windows explorer directly by analyzing the file properties. However, the hyperlink base can only be extracted using another tool.
In this case, Seduploader would pay close attention to the field contents (as they appear encoded in base64) and look for instances where long strings are used.
In this malware campaign, Sofacy ensured the dropper is different from other campaigns. Instead of elevating privileges, it executes the payload then sets up a persistence mechanism.
Another major change noted is that the payload execution was independent, meaning it can effectively run in standalone mode.
The reasons as to why the hacking group chose to use a VBA kind of attack remain unknown. However, Cisco says that it is likely they avoided exploits to ensure the attack went unnoticed so that they remain viable for other operations and increase potential for sabotage.
Additionally, they noted that hackers are aware that researchers always patch exploit and other clear infiltration loopholes, rendering their attack platform defunct.
The researchers also predict an increase in such kind of attacks in future.
If state-backed hacking groups can run campaigns targeting high-ranking online security experts such as NATO CCDCOE, and even attempt to exploit the unshaken credibility of the Army Cyber Institute, then we should be ready for more sophisticated attacks in future.
In a statement, a CCDCOE spokesperson also asked the security community and other business leaders to take caution when opening email attachments, including those from legitimate sources.