The well-known Russian cyber-espionage group Sofacy appears to be shifting tactics and has launched a new attack campaign targeting government, diplomatic and other strategic organizations in North America and Europe. The modus operandi of this attack campaign is based on the rarely used exploit toolkit Zebrocy.
Palo Alto's threat intelligence team Unit 42,noted the group is using phishing emails to spread Zebrocy, a backdoor malware. These phishing emails contain malicious Microsoft Office Documents with macros or other executable attachments which, when clicked on by a user, can initiate the infection process.
In order to trick the users, these spoofed emails are sent with a general subject line such as “implementation of the 2030 agenda for sustainable development” and is purported to be shared by the Uzbekistan government. It then asks the recipient to circulate the letter as a document of the General Assembly.
For the past few years, Zebrocy has been associated with Sofacy which also goes under the names like APT28, Sednit, Fancy Bear and Tsar Team. The group typically targets a small number of users within an organization, usually with the same exploit chain and the same malware.
The last time Sofacy was on the move was in March when it attempted to infect a European government agency with an unknown malware using a new variant of the Adobe Flash-based exploit platform named DealersChoice. Since then, Sofacy has shifted its attack plan and is now using Zebrocy to try and target as many firms as possible by exploiting endpoint targets.
"An interesting difference we found in this newest campaign was that the attacks using Zebrocy cast a far wider net within the target organization: the attackers sent phishing emails to an exponentially larger number of individuals,” Palo Alto researchers Bryan Lee and Robert Falcone wrote in a blog post. “The targeted individuals did not follow any significant pattern, and the email addresses were found easily using web search engines. This is a stark contrast with other attacks commonly associated with the Sofacy group where generally no more than a handful of victims are targeted within a single organization in a focus-fire style of attack".
Experts further noted that victims who downloaded and ran these boobytrapped files were infected with the Koadic RAT or one of three versions (AutoIt, C++, Delphi) of the Zebrocy malware. All the three versions of Zebrocy were deployed in the recent attacks, sometimes against the same organization.
This again, stood out asa unique tactic for an APT, and Sofacy in particular.
"In our research, we have not seen the Sofacy threat group use variations of the same tool developed in multiple languages for the same operating system as part of the same attack campaign," Lee and Falcone mentioned in an email to Bleeping Computer.