Infamous Russia-linked cyber-espionage group Sofacy used BREXIT-themed lure documents in attacks on the same day the United Kingdom Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU).
Also known as Pawn Storm, Sednit, Fancy Bear, APT28, Group 74, Tsar Team, Strontium, and Snakemackerel, the state-sponsored group has been active for over a decade and is believed to have been behind the DNC hack before the US 2016 elections.
In early October, after being observed using a UEFI rootkit in a malicious campaign, security researchers revealed overlaps between Sofacy operations and attacks attributed to other nation-state groups. Earlier this year, the group’s Zebrocy malware was found on machines also infected with Turla’s Mosquito malware.
Now, Accenture’s iDefense analysts reveal (PDF) that a Sofacy attack on November 15 was attempting to deliver the Zebrocy first-stage malware via Microsoft Office carrying malicious macros. The actor used jumbled-up text as content in an attempt to trick unsuspecting victims into enabling the macros.
The lure document would load malicious content from an external source using the settings.xml.rels component embedded within the DOCX file. The downloaded component includes a function called AutoClose() and two payloads embedded via Base64 encoded strings.
Analysis of the IP address used in the attack revealed two different .dotm components containing an identical VBA macro code, each featuring two different embedded payloads: an executable binary file and a .docm file containing a simple macro to execute the dropped executable.
The binaries were found to be the Delphi (initially UPX packed) and .NET versions of the Zebrocy malware. The threat would collect system information and a list of running processes and send the data to the designated command and control (C&C) server.
Collected information includes results from the commands systeminfo and tasklist, current execution path, capture screenshot, drive enumeration, and drive serial number.
“If the system is deemed interesting, the next stage malware would be delivered into corresponding directories. The second-stage malware is delivered to different destinations with an autorun registry key set respectively,” Accenture explains.
Related: Russian State-Sponsored Operations Begin to Overlap: Kaspersky