The Sofacy group, also known as APT28 and Fancy Bear, has carried out an attack on an unnamed European government agency using an updated variant of DealersChoice.
Details of the attack, which have been published by Unit42 – part of Palo Alto Networks – describe the espionage group using doc.x files titled “Defence & Security 2018 Conference Agenda,” which appears to have been copied directly from the website for the “Underwater Defence & Security 2018 Conference.”
Back in October 2016, the security researchers published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice. The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server. Sofacy continued to use DealersChoice throughout the fall of 2016, which was documented in December 2016.
However, the attacks that took place on March 12 and 14 used a different variation of the spear-phishing attack, something not seen from Sofacy before.
Unlike in the fall of 2016, the Flash object in the document is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded in. Then the object contacts an active C2 server to download an additional Flash object containing exploit code.
Robert Falcone, the author of findings, wrote: “The Sofacy threat group continues to use their DealersChoice framework to exploit Flash vulnerabilities in their attack campaigns. In the most recent variant, Sofacy modified the internals of the malicious scripts but continues to follow the same process used by previous variants by obtaining a malicious Flash object and payload directly from the C2 server.
“Unlike previous samples, this DealersChoice used a DOCX delivery document that required the user to scroll through the document to trigger the malicious Flash object. The required user interaction turned out to be an interesting anti-sandbox technique that we had not seen this group perform in the past.”
However, due to the several steps and vulnerabilities required for this attack to exploit its victim, it's considered that chance of success is lowered.