Visibly functioning since at least the mid-2000s, the Sednit group (aka APT28/ Sofacy /Fancy Bear /Pawn Storm) has been the purported source of numerous attacks on high-value and highly sensitive targets. Attacks against the French and German Election Processes as well as campaign(s) against the U.S. Government highlight just a few of their recently attributed efforts.

CERT-EU (Computer Emergency Response Team for the EU Institutions) recently reported on a campaign which, again, illustrates this group’s capability. This most recent example is targeted directly at the information security community/ industry.

The spear-phishing campaign directly targets attendees of the 2017 International Conference on Cyber Conflict U.S. conference (CyCon U.S.). This is a NATO-organized conference scheduled to occur in Washington D.C between the 7th and 8th of November 2017.

Watch CylancePROTECT® guard against recent malware used by APT28:

VIDEO: CylancePROTECT vs. APT28's VBA Malware

The phishing campaign was launched early-to-mid October and included a weaponized Microsoft Word document (ex: Conference_onCyber_Conflict.doc).

Multiple versions of the decoy/lure documents have been identified in the wild.

c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f    [1]
e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae
efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52

Malicious documents with functional VBA/ Macro components contain the following code:


The VBA code is designed to generate and drop additional components. Functionality-wise this is very straightforward in that there are no fancy zero-day exploits or other tricks occurring. The code simply serves to drop and execute up to 3 additional files (dropper and payloads). The first of which is netwf.dat (522fd9b35323af55113455d823571f71332e53dde988c2eb41395cf6b0c15805). This is followed by a payload, and a batch file used to execute said payload.

Payload DLL - netwf.dll (ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18)
Batch file - netwf.bat (cca2b02bec26939c4f6444201bf84e259448c15410ecb17ab9fce3b37f94ae78)

The contents of netwf.bat can be seen below:

As per the VBA script, all dropped files are located in %LOCALAPPDATA%.

The Seduploader payload shares functionality with previous examples distributed from this group. Some of the main features of this component are:

  • Data Exfiltration
  • Downloading / Updating of additional components
  • Code execution and modification
  • Screen monitoring / capture

Payload persistence is achieved using methods that have been observed in past campaigns/attacks from this group:

1)  Windows COM Object hijacking (CLSID: {BCDE0395-E52F-467C-8E3D-C4579291692E}
2)   A script is registered under HKCU\Environment\UserInitMprLogonScript to execute the netwf.bat file

It is important to note that for all functional decoy documents observed in the wild, they all generate the same dropper and payload binaries:

cca2b02bec26939c4f6444201bf84e259448c15410ecb17ab9fce3b37f94ae78 netwf.bat
522fd9b35323af55113455d823571f71332e53dde988c2eb41395cf6b0c15805 netwf.dat
ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18 netwf.dll

The C2 for this campaign is/was: myinvestgroup[dot]com which (at the time of this campaign) resolved to 146[dot]185[dot]253[dot]132

Mitigation

CylancePROTECT proactively prevents attacks related to this campaign (and those like it).  With CylancePROTECT installed on the endpoint, and the Script Control features enabled, the attack is stopped pre-execution.


Appendix:  

The CCDCOE CyCon U.S. website has been updated to reflect their awareness of this attack campaign. Their notice cites a previous analysis from Cisco Talos, and includes the correct/legitimate SHA1 hashes of flyers/documents distributed though their official channels:

“Official CyCon U.S. 2017 documents are linked below, with their corresponding SHA1 hash:

CyCon U.S. 2017
(CyCon U.S. Informational Paper: 7be98e83f8284e205661a3ef78748eefa35d0dc5)

CyCon U.S. Social Media Card
(CyCon U.S. Social Media Card: 16892b895ad4a9b91c8cd527795d737fce87f64f)

CyCon US_17_Call for Papers
(CyCon U.S. Call for Papers: 4b67f59c6e4b52157289212b07ae7a11f9b1314d)”

Footnotes:

[1] VBA/ Macro code not intact