Palo Alto has released details of an attack on multiple targets using various .docx files that leverage the ability of Microsoft Word to retrieve a remote template to then load a malicious macro.
The .docx files analysed share a common author name and contain a Trojan – either the Zebrocy, Cannon or a Zebrocy Delphi variant.
Palo Alto has attributed the attack to the Sofacy group, otherwise known as Fancy Bear, APT28, Strontium, Pawn Storm and Sednit.
It said the majority of the attacks were against NATO-aligned nation states but also said that several former USSR nation states were also targeted.
The exploits were delivered in .docx files including one called ‘crash list(Lion Air Boeing 737).docx’ which contained the Zebrocy tool.
Other documents were used but they are all notable for having the same author name attached to them, ‘Joohn’, leading Palo Alto to dub this the ‘Dear Joohn’ campaign.
Delivery of the documents was via spear-phishing attacks originating from legitimately registered email accounts at an email provider called Seznam, a popular web services company in the Czech Republic.
Palo Alto said it was an unusual departure from using spoofed email addresses or hijacked email accounts. However, the attacker has chosen to use the names of trusted organisations and government bodies in the email account names in a bid to foster trust, Palo Alto said.
The analysis is based on nine documents intercepted between 17 October and 15 November. They all shared the same ‘Joohn’ author name and came from national and local government offices in countries spanning four continents.
In one email, the attacker sent a .docx document purporting to be an invitation to a narcotics investigation course with a brief note saying, "Please find enclosed diplomatic note for your information, the hard copy will be delivered today".
Palo Alto said that in common with this example, the Sofacy group relied heavily on the filenames to tempt victims into opening them. Topics included Brexit, the Lion Air crash and recent rocket attacks in Israel.
When activated, the payloads in the .docx files would attempt to contact a command and control (C2) server to download the malicious code. The modular nature of the attack makes it more difficult to identify as malicious, Palo Alto said, but added that if the C2 server is not contactable at the time of the attack, the macro in the .docx file is rendered mostly harmless.
If the C2 server is active when the file is opened, the macro will retrieve the malicious macro and load it into the same Microsoft Word session, Palo Alto said. The user will then be prompted to activate the macro.
Palo Alto said that Cannon is a new macro employed by the Sofacy group. Written in C#, the malicious code sits in a namespace called ‘cannon’ which is the basis for the researchers’ name for the Trojan.
It functions primarily as a downloader and, unusually, uses email to communicate with the C2 server. "Email as a C2 channel is not a new tactic, but it is generally not observed in the wild as often as HTTP or HTTPS," Palo Alto said. "Using email as a C2 channel may also decrease the chance of detection, as sending email via non-sanctioned email providers may not necessarily construe suspicious or even malicious activity in many enterprises."
Palo Alto has published additional details including indicators of compromise in its blog.