APT 29 hackers used a weaponized document targeting those with interest in October’s Lion Air Boeing 737 crash, which killed everyone aboard.
Photo: AP

Security firm Palo Alto Networks on Tuesday issued a new warning about phishing attacks linked to APT 28, the elite Russian hacking group tied to the 2016 election interference in the United States.

According to researchers, the attack begins with a single weaponized document, which in turn retrieves malicious code via an email-based channel from its command and control (C2) server. Because the C2 server was left online, the researchers were successful in capturing samples of a malicious macro—code that runs a specific set of commands—and subsequent malware payloads.

Advertisement

The document, sent to myriad targets in North America, Europe, as well as a former Soviet state, was designed to capture the attention of those interested in the Lion Air 737 MAX airline crash in late October, which killed all 189 aboard. The document is titled: “crash list(Lion Air Boeing 737).docx.”

Palo Alto Networks identified the first malware used in the attack as Zebrocy, which APT28—also known as Fancy Bear and Sofacy—are known to have used in the past. The downloader/backdoor has been deployed against a wide range of diplomatic targets in the past, likewise spread using a weaponized document (typically a Microsoft Word file).

The researchers say APT 28 has not been observed previously using the stage-two malware, which they’ve codenamed “Cannon” and also relies on an email-based C2 channel to communicate with the attackers.

Advertisement

“Email as a C2 channel is not a new tactic, but it is generally not observed in the wild as often as HTTP or HTTPS,” Palo Alto Networks said in a blog Tuesday. “Using email as a C2 channel may also decrease the chance of detection, as sending email via non-sanctioned email providers may not necessarily construe suspicious or even malicious activity in many enterprises.”

Security researchers at FireEye likewise reported on Monday new intrusion attempts by APT 29, the Kremlin-linked hacking group also known as “Cozy Bear.” In this case, however, the hackers posed as a U.S. State Department employee and targeted think tanks, defense contractors, and U.S. military offices, among others.

[Wired, Forbes]

Advertisement