Kremlin-linked Fancy Bear hit government agencies in four continents

• The Russian cyberespionage group Fancy Bear hit government agencies in four continents in an attempt to infect them with malware.
• The group used a new malware named Cannon to attack these government agencies.

The Russian cyberespionage group Sofacy, also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, hit government agencies in four continents. Researchers revealed last month, that the Sofacy group used a new malware named Cannon to attack these entities.

Recently, researchers have come up with additional information on the attack. According to the researchers, the cyber espionage group utilized the Cannon malware and the Zebrocy backdoor to carry out their attacks.

What happened?

Researchers from Palo Alto networks revealed that the common factor in these attacks is the use of delivery documents that have the same author name ‘Joohn’. The researchers identified a total of 9 such delivery documents, along with payloads, and targets associated with the campaign. They also confirmed that spear-phishing campaign was used to deliver these malicious documents.

The malicious documents used a remote template function in Word to retrieve a malicious macro from the first stage C2 server and to load and execute an initial payload. A generic lure image in the documents requested victims to enable macros.

The delivery documents were sent to a multitude of organizations around the globe, including a foreign affairs organization in North America, multiple foreign affairs organizations in Europe, and government entities in former USSR states. Local law enforcement agencies in North America, Australia, and Europe, as well as NGOs, marketing firms, and organizations in the medical industry, might also have been targeted.

The researchers further spotted that the servers hosting the remote templates also hosted the C2 for first-stage payloads. However, they could not establish a relationship between this campaign and previous Zebrocy or Sofacy infrastructure because all the C2 servers used in the phishing campaign were IP-based.

Researchers believe that the attack was not ready for deployment and the attackers were waiting for a specific time, as four of the identified nine delivery documents were initially created in September and modified later in mid-October. However, all the malicious documents were seen in the wild roughly two weeks later.

“The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques. The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns,” Palo Alto Networks concluded.