Sofacy APT unleashes new 'Cannon' trojan

News by Rene Millman

Russian hackers use plane crash video as spear-phishing bait in bid to distribute new malware known as Cannon.

Cannon is a new piece of malware from APT group Sofacy (pic: Estt/GettyImages)

Russian hacking group Sofacy has launched a new piece of malware dubbed ‘Cannon’ in a spear-phishing attack that targets government organisations in Europe, the US and a former eastern bloc country.

According to security researchers at Palo Alto Networks, this new campaign was discovered in late October and early November. The attack uses Microsoft Word documents that load remote templates infested with malware.

In a blog post, researchers said that analysis revealed a consistent first-stage payload of the well-documented Zebrocy Trojan. Other documents revealed the Cannon second first-stage payload.

One document of interest used the name "crash list(Lion Air Boeing 737).docx," referring to the crash of a Lion Air Flight 610 that crashed near Jakarta, Indonesia in October.

"This is not the first instance of an adversary group using recent current events as a lure, but it is interesting to see this group attempt to capitalise on the attention of a catastrophic event to execute their attack," said researchers.

Another file seemed to aim at a government organisation dealing with foreign affairs in Europe via spear-phishing. Once the user attempts to open the document, Microsoft Word immediately attempts to load the remote template containing a malicious macro and payload from the location specified within the settings.xml.rels file of the *.docx file.

Once executed, the Zebrocy Trojan gathers system specific information that it will send to the C2 server via an HTTP POST request to the above URL. Like other Zebrocy samples, this Trojan collects system specific information it will send to the C2 server as well as send a screenshot of the victim host as a JPEG image.

Meanwhile, Cannon acts as a downloader and relies on emails to communicate between the Trojan and the C2 server.

"The overall purpose of Cannon is to use several email accounts to send system data (system information and screenshot) to the threat actors and to ultimately obtain a payload from an email from the actors," said researchers.

Researchers said that Sofacy hackers are once again targeting government organisations in the EU, US and former Soviet states to deliver the Zebrocy tool as a payload. They added that in these attacks are designed to make detection more difficult as the external hosts involved are a legitimate email service provider.

"Add the layer of encryption that the SMTPS and POP3S protocols provide to the legitimate web-based service and you have a very difficult C2 channel to block," they said.

Simon McCalla, CTO at Nominet, told SC Media UK that the attacks won’t just be limited to political organisations. Financial organisations, because of their inherent power, could also face hacking attempts from groups like these.

"Users, in the first instance, should exercise caution and diligence when opening emails from unknown sources. While these attempts might be more sophisticated than other attempts, they can still be relatively crude and so those who are on the receiving end of the email should exercise caution before clicking any attachments. Educating the team who might be on the receiving end of these emails on how to spot and deal with the emails is your first step," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events