The aggressive Russian APT group Sofacy targeted yet another European government agency earlier this month, attempting to infect the organisation with unknown malware using a crafty new variant of its Adobe Flash-based exploit platform DealersChoice.
When it was first exposed in October 2016, DealersChoice was found in spearphishing campaigns that distributed Microsoft Word documents containing embedded Adobe Flash malicious objects capable of retrieving additional malicious payloads. In a 15 March blog post, Palo Alto Networks' Unit 42 threat intelligence team reports that the latest version of DealersChoice operates in much the same way, but with several intriguing new twists.
For instance, Sofacy (aka Fancy Bear, APT28, Pawn Storm, Sednit, Tsar Team, and Strontium) now attempts to avoid automated sandboxing techniques by requiring its intended victims to first manually interact with the phishing document before the Small Web Format file responsible for commencing the exploit chain actually launches. According to the researchers, this technique has never before been observed before in the wild.
In the attack against the unnamed European organisation, the SWF-based loader was located near a PNG image on page three of the lure document, hidden as a tiny black box that would be easy to overlook. "The SWF runs only when the user scrolls to page three, as that is where the actor placed the SWF object," said blog post author and cyber threat intelligence analyst Robert Falcone, in an email interview with SC Media. "This is an anti-sandbox technique, as sandboxes are automated tools that try to open files to analyse them, but cannot act exactly like a human user. In this case, most sandboxes do not open documents and scroll through the pages to read the content as a human could [or] would."
But that's not where the deception ends. Sofacy also made changes to This DealersChoice Flash object code to include an ActionScript from the open-source video player f4player. In concert with this change, the DealersChoice C2 server disguises its responses as as HTTP live streaming (HLS) traffic, making it appear as if its communications are merely legitimate audio and video files.
The spearphishing document itself appeared to target an entity that would be interested in the defence industry. Its arrived with the subject line, “Defence & Security 2018 Conference Agenda” and included a DOCX file showing a conference schedule, which was lifted directly from the agenda of an actual event, the Underwater Defence & Security 2018 Conference.
The tactics observed here are commensurate with other recent Sofacy campaigns that have similarly attempted to phish worldwide government organisations, sometimes with defence-themed documentation. For example, in February Sofacy reportedly targeted foreign affairs agencies and ministries in North America and Europe with a phishing campaign using spoofed emails to that purported to offer information about upcoming defense events. And on 28 February, 2018, it was separately reported that Sofacy stole data from Germany's Foreign and Defence Ministries in December 2017.
While the final payload in this latest cyber-assault is unknown, Unit 42 researchers noted that past DealersChoice campaigns were used to distribute the SofacyCarberp (aka Seduploader) reconnaissance malware payload.