Fancy Bear drops the Cannon on government entities across US, Europe and the former Soviet Union

• Fancy Bear hackers’ newest malware dubbed Cannon has been targeting government entities across the US, Europe and former USSR.
• The new campaign was first discovered in late October and uses spearphishing emails to distribute malicious payloads.

The Kremlin-linked cyberespionage group APT28, aka Fancy Bear, Sednit, and Pawn Storm is back in action with a new spearphishing campaign that drops a brand new malware dubbed Cannon. The group’s new campaign, which was first spotted in late October, targets government organizations across the US, Europe, and the former USSR.

APT28 was spotted using weaponized documents to drop malicious payloads, which includes the Zebrocy malware. According to security researchers at Palo Alto Networks, who discovered the new campaign, Cannon hasn’t previously been used by APT28. The email uses email to communicate with the C2, which decreases its chances of detection.

“The Sofacy group also leveraged the recent Lion Air disaster as a lure in one of these attacks, which continues to show a willingness to use current events in their social engineering themes,” Palo Alto researchers said in a report.

While APT28 has already used the Zebrocy malware several times in previous campaigns, Cannon is a completely fresh malware sample. The malware is written in C and functions primarily as a downloader. Like Zebrocy, Cannon is also capable of collecting system information and taking screenshots of the targeted computer’s desktop.

“Cannon uses SMTPS and POP3S as its C2 channel compared to Zebrocy that uses a more commonly observed HTTP or HTTPS based C2. This is not a new tactic but may be more effective at evading detection as the external hosts involved are a legitimate email service provider,” the researchers added.

The new campaign indicates that APT28, despite the numerous attributions of attacks, continues to be highly active. In the wake of the cyberattacks that plagued the 2016 US presidential election, the infosec and the US intelligence community blamed APT28 and APT29 for orchestrating attacks aimed at influencing the US democratic process. Following the allegations, various reports cropped up detailing the Russian hackers’ TTPs. However, it appears that despite all the attention APT28 has received from the infosec community, it continues to develop new tools, evolve and pursue global targets.