Advanced threat group Sofacy delivers a new malware sample dubbed Cannon in a spear-phishing attack that targets government organizations in North America, Europe and in a former Soviet state.

The group's latest campaign was spotted in late October and early November, and it relied on Word documents that loaded remote templates embedded with a malicious macro code.

Dropping the Cannon

One of the files retrieved a new tool that has not been seen in use by the Sofacy actor. The delivery method relies on an uncommon technique that helps avoid analysis in an automated sandbox environment: the macro uses the AutoClose function, which allows Word to delay the complete execution of the bad code until the user closes the document.

According to the analysis from Palo Alto Networks' Unit 42, Cannon functions as a downloader and uses email communication to get instructions from the command and control (C2) server.

Its list of capabilities includes adding persistence and creating a unique system identifier, collecting system details, grabbing snapshots of the desktop. It can also log into a POP3 email account to get access to attachments.

Cannon email communication

Cannon sends emails via three accounts hosted at a Czech service provider called Seznam. These messages move to email address 'sahro.bella7[at]post.cz', controlled by the adversary, which acts as the C2 point.

Getting the commands is possible by logging into a different account, 'Trala[.]cosh2,' hosted on Seznam.

"The overall purpose of Cannon is to use several email accounts to send system data (system information and screenshot) to the threat actors and to ultimately obtain a payload from an email from the actors," the researchers explain.

Victims lured with airplane crash document

It appears that Sofacy, also known by the names Fancy Bear, APT28, Sednit, and Strontium, took advantage of the Lion Air airplane crash to run their attack. One of the weaponized files used had the name 'crash list (Lion Air Boeing 737).docx.'

Luring the victim to enable macros

In a report shared with BleepingComputer, Unit 42 researchers say that capitalizing of a catastrophic event to deploy a spear-phishing campaign is unusual to this particular group.

Because it relies on remote templates, Sofacy's success with this endeavor depends on the availability of the C2 server. If the server is not online when the macro executes, no harm is done.

Related Articles:

Seedworm Spy Gang Stores Malware on GitHub, Keeps Up with Infosec Advances

Op 'Sharpshooter' Uses Lazarus Group Tactics, Techniques, and Procedures

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

State-Sponsored Actors Focus Attacks on Asia