The Russian hacking group known as APT28 (aka Fancy Bear or Sofacy) is back, ironically targeting people with an interest in cybersecurity using a decoy document relating to the Cyber Conflict US conference.
The CyCon US event is a collaborative effort between the Army Cyber Institute at the United States Military Academy, the NATO Cooperative Cyber Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence. Using the file name Conference_on_Cyber_Conflict.doc, it contains two pages with the logo of the organizer and the sponsors. The exact content of the document can be found online on the conference website—so the attackers probably copy/pasted it into Word to create the malicious document.
“Analysis of this campaign shows us once more that attackers are creative and use the news to compromise the targets,” said researchers at Cisco Talos, which uncovered the campaign. “This campaign has most likely been created to allow the targeting of people linked to or interested by cybersecurity, so probably the people who are more sensitive to cybersecurity threats.”
The firm found that the payload is a new variant of Seduploader, a reconnaissance malware that the group has been using for years. The new version has a few modifications to help it avoid detection based on public indicators of compromise.
The payload features are similar to the previous versions of Seduploader, and allows screenshot capture, data and configuration exfiltration, remote code execution and file downloading. As opposed to previous campaigns performed by this actor, this latest version does not contain privilege escalation.
Also, unlike previous campaigns from the actor, the flyer does not contain an Office exploit or a zero-day, but simply contains a malicious Visual Basic for Applications (VBA) macro.
“Due to this change, the fundamental compromise mechanism is different as the payload is executed in a standalone mode,” Cisco researchers noted, in a blog. “The reasons for this are unknown, but, we could suggest that they did not want to utilize any exploits to ensure they remained viable for any other operations. Actors will often not use exploits due to the fact that researchers can find and eventually patch these which renders the actors' weaponized platforms defunct.”